Edit tour

Windows Analysis Report
hVgcaX2SV8.dll

Overview

General Information

Sample name:	hVgcaX2SV8.dll renamed because original name is a hash value
Original sample name:	28d079409d4015dffe55191250e7eed4.dll
Analysis ID:	1591526
MD5:	28d079409d4015dffe55191250e7eed4
SHA1:	57ea441d26af37a11145ca842b26ea81eeca6a72
SHA256:	a062d5c2b65fa65dbadbc5e42b4af0e97cfab15f67280cb8b87068236a793ae4
Tags:	dllexeWannaCryuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1272 cmdline: loaddll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 768 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6660 cmdline: rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 4308 cmdline: C:\WINDOWS\mssecsvr.exe MD5: C52D23EEDF757DFD3703AC774DE1C457)

rundll32.exe (PID: 984 cmdline: rundll32.exe C:\Users\user\Desktop\hVgcaX2SV8.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6648 cmdline: rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 3656 cmdline: C:\WINDOWS\mssecsvr.exe MD5: C52D23EEDF757DFD3703AC774DE1C457)

mssecsvr.exe (PID: 5536 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: C52D23EEDF757DFD3703AC774DE1C457)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hVgcaX2SV8.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
hVgcaX2SV8.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2104424678.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2123551514.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2133754261.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2151167613.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2774027813.0000000001D61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2774278925.000000000228A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 4308	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5536	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 3656	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvr.exe.1d52084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.227b8c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.228a948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.228a948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.228a948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.227b8c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227b8c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.227b8c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d52084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d52084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d52084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d61104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d61104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d61104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.22868e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22868e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d61104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d61104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.228a948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.228a948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d5d0a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d5d0a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:58:29.253435+0100	2803304	3	Unknown Traffic	192.168.2.5	49704	103.224.212.215	80	TCP
2025-01-15T02:58:30.937765+0100	2803304	3	Unknown Traffic	192.168.2.5	49706	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:58:28.485004+0100	2830018	1	A Network Trojan was detected	192.168.2.5	54257	1.1.1.1	53	UDP

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03

Source: hVgcaX2SV8.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hVgcaX2SV8.dll,PlayGame

Source: hVgcaX2SV8.dll	Virustotal: Detection: 92%
Source: hVgcaX2SV8.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hVgcaX2SV8.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hVgcaX2SV8.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: hVgcaX2SV8.dll

Static file information: File size 5267459 > 1048576

Source: hVgcaX2SV8.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source:

Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: hVgcaX2SV8.dll, tasksche.exe.5.dr

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 5844	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5844	Thread sleep time: -188000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3116	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3116	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5844	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000007.00000002.2773536526.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"9
Source: mssecsvr.exe, 00000005.00000002.2137869882.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2137869882.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2773536526.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2773536526.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2151839433.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000009.00000002.2151839433.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hVgcaX2SV8.dll	93%	Virustotal		Browse
hVgcaX2SV8.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
hVgcaX2SV8.dll	100%	Avira	TR/Ransom.Gen
hVgcaX2SV8.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	81%	ReversingLabs	Win32.Trojan.VFlooder
C:\Windows\tasksche.exe	81%	ReversingLabs	Win32.Trojan.VFlooder

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNm	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f5d	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Q	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f039	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f0	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e47	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f5d	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f039	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e47	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNm	mssecsvr.exe, 00000009.00000002.2151839433.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	hVgcaX2SV8.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1	mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Q	mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e	mssecsvr.exe, 00000007.00000002.2773536526.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2773536526.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000007.00000002.2772976788.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Xm	mssecsvr.exe, 00000009.00000002.2151839433.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f	mssecsvr.exe, 00000005.00000002.2137869882.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f0	mssecsvr.exe, 00000009.00000002.2151839433.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p	mssecsvr.exe, 00000005.00000002.2137869882.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
30.129.64.110	unknown	United States	7922	COMCAST-7922US	false
170.151.136.20	unknown	United States	19115	CHARTER-19115-DCUS	false
122.200.21.252	unknown	India	38310	ICAN-AS-APiCanSolutionsPvtLtdASIN	false
5.92.127.2	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
5.92.127.1	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
219.202.225.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
147.140.226.125	unknown	United States	22644	TJUHUS	false
170.151.136.1	unknown	United States	19115	CHARTER-19115-DCUS	false
45.33.237.189	unknown	United States	30848	IT-TWT-ASIT	false
38.242.199.232	unknown	United States	36336	NATIXISUS	false
209.178.43.113	unknown	United States	7029	WINDSTREAMUS	false
122.101.248.1	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
122.101.248.2	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
167.35.109.2	unknown	Canada	2665	CDAGOVNCA	false
167.35.109.1	unknown	Canada	2665	CDAGOVNCA	false
219.202.225.135	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
48.223.148.157	unknown	United States	2686	ATGS-MMD-ASUS	false
66.43.16.61	unknown	United States	14233	ANCESTRY-INCUS	false
124.91.26.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591526
Start date and time:	2025-01-15 02:57:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hVgcaX2SV8.dll renamed because original name is a hash value
Original Sample Name:	28d079409d4015dffe55191250e7eed4.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.30.131.245, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:30	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:59:04	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VODAFONE-IT-ASNIT	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	188.217.194.1
	i486.elf	Get hash	malicious	Unknown	Browse	5.90.249.246
	elitebotnet.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	2.46.86.103
	6.elf	Get hash	malicious	Unknown	Browse	31.26.67.104
	5.elf	Get hash	malicious	Unknown	Browse	2.40.217.192
	res.sh4.elf	Get hash	malicious	Unknown	Browse	91.81.135.120
	res.ppc.elf	Get hash	malicious	Unknown	Browse	31.27.46.164
	3.elf	Get hash	malicious	Unknown	Browse	5.95.28.139
	6.elf	Get hash	malicious	Unknown	Browse	83.224.254.117
	3.elf	Get hash	malicious	Unknown	Browse	2.32.151.111
COMCAST-7922US	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	26.51.77.154
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	30.7.203.119
	6fRzgDuqWT.dll	Get hash	malicious	Wannacry	Browse	26.174.0.83
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	28.124.93.83
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	96.221.78.64
	bopY0ot9wf.dll	Get hash	malicious	Wannacry	Browse	73.163.6.192
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	75.65.143.1
	YZJG8NuHEP.dll	Get hash	malicious	Wannacry	Browse	29.248.211.36
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	26.28.204.104
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	26.34.166.1
CHARTER-19115-DCUS	nshmpsl.elf	Get hash	malicious	Mirai	Browse	170.151.221.49
	nshkarm.elf	Get hash	malicious	Mirai	Browse	104.138.97.154
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	170.151.209.153
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.3.89.82
	amen.arm6.elf	Get hash	malicious	Mirai	Browse	170.151.208.43
	amen.ppc.elf	Get hash	malicious	Mirai	Browse	170.151.209.155
	bin.sh.elf	Get hash	malicious	Mirai	Browse	170.151.110.228
	sh4.elf	Get hash	malicious	Unknown	Browse	98.8.37.179
	kkkarm.elf	Get hash	malicious	Unknown	Browse	47.3.254.115
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	170.151.58.165

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.157686687232878
Encrypted:	false
SSDEEP:	24576:tiIfEqSirYbcMNgef0QeQjG/D8kIqRYsm:X7SPbcBVQej/1jm
MD5:	19CB7407A61FF21C0443E2D6BEEB524B
SHA1:	6A87D25C84D2864148FE4039EE66DACF35AF1DAC
SHA-256:	77F5B72CFD3B90230505F5BECDEFF191EBDF7933FD1669417276606C6625CA41
SHA-512:	5E145DED73CF59E03D9B5B141F8E2C310DB7CF8876885ACBE254AC0F92F0692FE2AD75227C7EE135D449AC3C5AE97632C70E8F64E452F34CF4EF06BDD3B84721
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	5.157686687232878
Encrypted:	false
SSDEEP:	24576:tiIfEqSirYbcMNgef0QeQjG/D8kIqRYsm:X7SPbcBVQej/1jm
MD5:	19CB7407A61FF21C0443E2D6BEEB524B
SHA1:	6A87D25C84D2864148FE4039EE66DACF35AF1DAC
SHA-256:	77F5B72CFD3B90230505F5BECDEFF191EBDF7933FD1669417276606C6625CA41
SHA-512:	5E145DED73CF59E03D9B5B141F8E2C310DB7CF8876885ACBE254AC0F92F0692FE2AD75227C7EE135D449AC3C5AE97632C70E8F64E452F34CF4EF06BDD3B84721
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.6636042568344824
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hVgcaX2SV8.dll
File size:	5'267'459 bytes
MD5:	28d079409d4015dffe55191250e7eed4
SHA1:	57ea441d26af37a11145ca842b26ea81eeca6a72
SHA256:	a062d5c2b65fa65dbadbc5e42b4af0e97cfab15f67280cb8b87068236a793ae4
SHA512:	9dfff42553c23ce2aa8d70f4d8b14b4b65427be2cea51f9bbcda1f1ad04db4c987e8252c4a58632111a01b3db64f0e8a4e190306cd42b70fd4e3418333566dcc
SSDEEP:	24576:RbLguriIfEqSirYbcMNgef0QeQjG/D8kIqRYs:Rnp7SPbcBVQej/1j
TLSH:	4436237234DC80B4D507323494778F26A5BA7C39227AA94FAF904E352F23B92E719753
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F496C60212Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F496C602148h
cmp esi, 01h
je 00007F496C602127h
cmp esi, 02h
jne 00007F496C602144h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F496C60212Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F496C60212Eh
push edi
push esi
push ebx
call 00007F496C60203Ah
test eax, eax
jne 00007F496C602126h
xor eax, eax
jmp 00007F496C602170h
push edi
push esi
push ebx
call 00007F496C601EECh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F496C60212Eh
test eax, eax
jne 00007F496C602159h
push edi
push eax
push ebx
call 00007F496C602016h
test esi, esi
je 00007F496C602127h
cmp esi, 03h
jne 00007F496C602148h
push edi
push esi
push ebx
call 00007F496C602005h
test eax, eax
jne 00007F496C602125h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F496C602133h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F496C60212Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	1e5db469859bc724a420d0f56fae1d72	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8359994888305664

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T02:58:28.485004+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.5	54257	1.1.1.1	53	UDP
2025-01-15T02:58:29.253435+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49704	103.224.212.215	80	TCP
2025-01-15T02:58:30.937765+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49706	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:58:22.019021988 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:22.019030094 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:22.144098997 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:28.648837090 CET	49704	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:28.653867006 CET	80	49704	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:28.653979063 CET	49704	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:28.654110909 CET	49704	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:28.658914089 CET	80	49704	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:29.253204107 CET	80	49704	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:29.253263950 CET	80	49704	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:29.253434896 CET	49704	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:29.277323008 CET	49704	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:29.282437086 CET	80	49704	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:29.606517076 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:29.611392975 CET	80	49705	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:29.611495972 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:29.611684084 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:29.616511106 CET	80	49705	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:30.068670988 CET	80	49705	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:30.068720102 CET	80	49705	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:30.068907976 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.157238007 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.157336950 CET	49705	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.308207035 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.312998056 CET	80	49706	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:30.313086033 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.313309908 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.318063021 CET	80	49706	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:30.937666893 CET	80	49706	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:30.937730074 CET	80	49706	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:30.937764883 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.937860012 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.941605091 CET	49706	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:30.942949057 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.946391106 CET	80	49706	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:30.947797060 CET	80	49707	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:30.948050976 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.948050976 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:30.952860117 CET	80	49707	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:31.361326933 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.366168022 CET	80	49708	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:31.370366096 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.370541096 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.375250101 CET	80	49708	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:31.402571917 CET	80	49707	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:31.402595997 CET	80	49707	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:31.402666092 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.410676003 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.410702944 CET	49707	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.529385090 CET	49709	445	192.168.2.5	167.35.109.228
Jan 15, 2025 02:58:31.534615040 CET	445	49709	167.35.109.228	192.168.2.5
Jan 15, 2025 02:58:31.535057068 CET	49709	445	192.168.2.5	167.35.109.228
Jan 15, 2025 02:58:31.536079884 CET	49709	445	192.168.2.5	167.35.109.228
Jan 15, 2025 02:58:31.536307096 CET	49710	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.540884972 CET	445	49709	167.35.109.228	192.168.2.5
Jan 15, 2025 02:58:31.540931940 CET	49709	445	192.168.2.5	167.35.109.228
Jan 15, 2025 02:58:31.541110039 CET	445	49710	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:31.541187048 CET	49710	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.541238070 CET	49710	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.545754910 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.546062946 CET	445	49710	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:31.546129942 CET	49710	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.550601959 CET	445	49711	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:31.550662041 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.550749063 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:31.555455923 CET	445	49711	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:31.628177881 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:31.628215075 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:31.753168106 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:31.964457989 CET	80	49708	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:31.964544058 CET	80	49708	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:31.964560032 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.964596987 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.967323065 CET	49708	80	192.168.2.5	103.224.212.215
Jan 15, 2025 02:58:31.968660116 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.972165108 CET	80	49708	103.224.212.215	192.168.2.5
Jan 15, 2025 02:58:31.973447084 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:31.973526001 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.973670959 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:31.978535891 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:32.429480076 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:32.429512978 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 02:58:32.429759026 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:32.437789917 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:32.437813044 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 02:58:33.396446943 CET	443	49703	23.1.237.91	192.168.2.5
Jan 15, 2025 02:58:33.398441076 CET	49703	443	192.168.2.5	23.1.237.91
Jan 15, 2025 02:58:33.540196896 CET	49735	445	192.168.2.5	5.92.127.51
Jan 15, 2025 02:58:33.545157909 CET	445	49735	5.92.127.51	192.168.2.5
Jan 15, 2025 02:58:33.545264959 CET	49735	445	192.168.2.5	5.92.127.51
Jan 15, 2025 02:58:33.545361042 CET	49735	445	192.168.2.5	5.92.127.51
Jan 15, 2025 02:58:33.545728922 CET	49736	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.550393105 CET	445	49735	5.92.127.51	192.168.2.5
Jan 15, 2025 02:58:33.550468922 CET	49735	445	192.168.2.5	5.92.127.51
Jan 15, 2025 02:58:33.550616980 CET	445	49736	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:33.550713062 CET	49736	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.550780058 CET	49736	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.552186966 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.555632114 CET	445	49736	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:33.555704117 CET	49736	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.556982040 CET	445	49737	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:33.557060957 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.557120085 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:33.561933041 CET	445	49737	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:35.573782921 CET	49759	445	192.168.2.5	161.7.75.74
Jan 15, 2025 02:58:35.578891993 CET	445	49759	161.7.75.74	192.168.2.5
Jan 15, 2025 02:58:35.578984976 CET	49759	445	192.168.2.5	161.7.75.74
Jan 15, 2025 02:58:35.580044031 CET	49759	445	192.168.2.5	161.7.75.74
Jan 15, 2025 02:58:35.580238104 CET	49760	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.585249901 CET	445	49760	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:35.585279942 CET	445	49759	161.7.75.74	192.168.2.5
Jan 15, 2025 02:58:35.585314035 CET	49760	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.585342884 CET	49759	445	192.168.2.5	161.7.75.74
Jan 15, 2025 02:58:35.585418940 CET	49760	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.588762999 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.590382099 CET	445	49760	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:35.590449095 CET	49760	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.593534946 CET	445	49761	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:35.593625069 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.593688011 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:35.598426104 CET	445	49761	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:37.585675001 CET	49781	445	192.168.2.5	40.92.175.109
Jan 15, 2025 02:58:37.590558052 CET	445	49781	40.92.175.109	192.168.2.5
Jan 15, 2025 02:58:37.590662003 CET	49781	445	192.168.2.5	40.92.175.109
Jan 15, 2025 02:58:37.590677977 CET	49781	445	192.168.2.5	40.92.175.109
Jan 15, 2025 02:58:37.590816021 CET	49783	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.595629930 CET	445	49783	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:37.595679998 CET	445	49781	40.92.175.109	192.168.2.5
Jan 15, 2025 02:58:37.595732927 CET	49781	445	192.168.2.5	40.92.175.109
Jan 15, 2025 02:58:37.595824957 CET	49783	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.595865011 CET	49783	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.598352909 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.600826979 CET	445	49783	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:37.600891113 CET	49783	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.603159904 CET	445	49784	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:37.603250027 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.603291035 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:37.608098984 CET	445	49784	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:39.598370075 CET	49806	445	192.168.2.5	223.67.238.124
Jan 15, 2025 02:58:39.603358030 CET	445	49806	223.67.238.124	192.168.2.5
Jan 15, 2025 02:58:39.603482008 CET	49806	445	192.168.2.5	223.67.238.124
Jan 15, 2025 02:58:39.603528023 CET	49806	445	192.168.2.5	223.67.238.124
Jan 15, 2025 02:58:39.603763103 CET	49807	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.608531952 CET	445	49806	223.67.238.124	192.168.2.5
Jan 15, 2025 02:58:39.608599901 CET	49806	445	192.168.2.5	223.67.238.124
Jan 15, 2025 02:58:39.608705044 CET	445	49807	223.67.238.1	192.168.2.5
Jan 15, 2025 02:58:39.608784914 CET	49807	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.608865976 CET	49807	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.609831095 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.613805056 CET	445	49807	223.67.238.1	192.168.2.5
Jan 15, 2025 02:58:39.613866091 CET	49807	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.614729881 CET	445	49808	223.67.238.1	192.168.2.5
Jan 15, 2025 02:58:39.614797115 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.614900112 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:58:39.619703054 CET	445	49808	223.67.238.1	192.168.2.5
Jan 15, 2025 02:58:41.613859892 CET	49838	445	192.168.2.5	66.102.158.38
Jan 15, 2025 02:58:41.618644953 CET	445	49838	66.102.158.38	192.168.2.5
Jan 15, 2025 02:58:41.618752003 CET	49838	445	192.168.2.5	66.102.158.38
Jan 15, 2025 02:58:41.618752003 CET	49838	445	192.168.2.5	66.102.158.38
Jan 15, 2025 02:58:41.618916035 CET	49839	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.623663902 CET	445	49839	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:41.623728991 CET	49839	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.623735905 CET	445	49838	66.102.158.38	192.168.2.5
Jan 15, 2025 02:58:41.623795033 CET	49838	445	192.168.2.5	66.102.158.38
Jan 15, 2025 02:58:41.623867989 CET	49839	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.624923944 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.628680944 CET	445	49839	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:41.628803015 CET	49839	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.630242109 CET	445	49840	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:41.630315065 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.630341053 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:41.637433052 CET	445	49840	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:43.288295031 CET	445	49840	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:43.288387060 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:43.288434982 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:43.288538933 CET	49840	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:43.293759108 CET	445	49840	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:43.293773890 CET	445	49840	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:43.628730059 CET	49877	445	192.168.2.5	136.61.41.150
Jan 15, 2025 02:58:43.633697033 CET	445	49877	136.61.41.150	192.168.2.5
Jan 15, 2025 02:58:43.633779049 CET	49877	445	192.168.2.5	136.61.41.150
Jan 15, 2025 02:58:43.633867979 CET	49877	445	192.168.2.5	136.61.41.150
Jan 15, 2025 02:58:43.634042978 CET	49878	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.638765097 CET	445	49877	136.61.41.150	192.168.2.5
Jan 15, 2025 02:58:43.638794899 CET	445	49878	136.61.41.1	192.168.2.5
Jan 15, 2025 02:58:43.638874054 CET	49877	445	192.168.2.5	136.61.41.150
Jan 15, 2025 02:58:43.638875008 CET	49878	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.638952017 CET	49878	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.639462948 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.643846989 CET	445	49878	136.61.41.1	192.168.2.5
Jan 15, 2025 02:58:43.643922091 CET	49878	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.644228935 CET	445	49879	136.61.41.1	192.168.2.5
Jan 15, 2025 02:58:43.644289017 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.644519091 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:58:43.649260044 CET	445	49879	136.61.41.1	192.168.2.5
Jan 15, 2025 02:58:45.644371033 CET	49914	445	192.168.2.5	122.101.248.12
Jan 15, 2025 02:58:45.649785995 CET	445	49914	122.101.248.12	192.168.2.5
Jan 15, 2025 02:58:45.649876118 CET	49914	445	192.168.2.5	122.101.248.12
Jan 15, 2025 02:58:45.649899006 CET	49914	445	192.168.2.5	122.101.248.12
Jan 15, 2025 02:58:45.650043964 CET	49915	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.656443119 CET	445	49915	122.101.248.1	192.168.2.5
Jan 15, 2025 02:58:45.656502962 CET	445	49914	122.101.248.12	192.168.2.5
Jan 15, 2025 02:58:45.656538963 CET	49915	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.656579018 CET	49914	445	192.168.2.5	122.101.248.12
Jan 15, 2025 02:58:45.656688929 CET	49915	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.657020092 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.661591053 CET	445	49915	122.101.248.1	192.168.2.5
Jan 15, 2025 02:58:45.661657095 CET	49915	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.661896944 CET	445	49916	122.101.248.1	192.168.2.5
Jan 15, 2025 02:58:45.661958933 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.661993027 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:58:45.667736053 CET	445	49916	122.101.248.1	192.168.2.5
Jan 15, 2025 02:58:46.300494909 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:46.332814932 CET	445	49925	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:46.332947016 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:46.333086967 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:46.340704918 CET	445	49925	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:47.660022020 CET	49949	445	192.168.2.5	66.43.16.61
Jan 15, 2025 02:58:47.664927959 CET	445	49949	66.43.16.61	192.168.2.5
Jan 15, 2025 02:58:47.665052891 CET	49949	445	192.168.2.5	66.43.16.61
Jan 15, 2025 02:58:47.665100098 CET	49949	445	192.168.2.5	66.43.16.61
Jan 15, 2025 02:58:47.665255070 CET	49951	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.669984102 CET	445	49949	66.43.16.61	192.168.2.5
Jan 15, 2025 02:58:47.670093060 CET	49949	445	192.168.2.5	66.43.16.61
Jan 15, 2025 02:58:47.670098066 CET	445	49951	66.43.16.1	192.168.2.5
Jan 15, 2025 02:58:47.670171022 CET	49951	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.670303106 CET	49951	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.671329021 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.675199986 CET	445	49951	66.43.16.1	192.168.2.5
Jan 15, 2025 02:58:47.675271034 CET	49951	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.676239014 CET	445	49952	66.43.16.1	192.168.2.5
Jan 15, 2025 02:58:47.676340103 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.676438093 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:58:47.681324005 CET	445	49952	66.43.16.1	192.168.2.5
Jan 15, 2025 02:58:48.000591040 CET	445	49925	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:48.000690937 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:48.000802040 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:48.000873089 CET	49925	445	192.168.2.5	66.102.158.1
Jan 15, 2025 02:58:48.006731987 CET	445	49925	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:48.006761074 CET	445	49925	66.102.158.1	192.168.2.5
Jan 15, 2025 02:58:48.066070080 CET	49959	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.070972919 CET	445	49959	66.102.158.2	192.168.2.5
Jan 15, 2025 02:58:48.071101904 CET	49959	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.071183920 CET	49959	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.071618080 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.076229095 CET	445	49959	66.102.158.2	192.168.2.5
Jan 15, 2025 02:58:48.076311111 CET	49959	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.076502085 CET	445	49960	66.102.158.2	192.168.2.5
Jan 15, 2025 02:58:48.076948881 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.076948881 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:58:48.081814051 CET	445	49960	66.102.158.2	192.168.2.5
Jan 15, 2025 02:58:49.682751894 CET	49988	445	192.168.2.5	197.168.4.72
Jan 15, 2025 02:58:49.687602997 CET	445	49988	197.168.4.72	192.168.2.5
Jan 15, 2025 02:58:49.687680006 CET	49988	445	192.168.2.5	197.168.4.72
Jan 15, 2025 02:58:49.687709093 CET	49988	445	192.168.2.5	197.168.4.72
Jan 15, 2025 02:58:49.687844992 CET	49990	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.692660093 CET	445	49990	197.168.4.1	192.168.2.5
Jan 15, 2025 02:58:49.692672014 CET	445	49988	197.168.4.72	192.168.2.5
Jan 15, 2025 02:58:49.692739964 CET	49990	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.692769051 CET	49988	445	192.168.2.5	197.168.4.72
Jan 15, 2025 02:58:49.692879915 CET	49990	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.693190098 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.697731018 CET	445	49990	197.168.4.1	192.168.2.5
Jan 15, 2025 02:58:49.697782993 CET	49990	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.697993040 CET	445	49991	197.168.4.1	192.168.2.5
Jan 15, 2025 02:58:49.698147058 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.698147058 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:58:49.702936888 CET	445	49991	197.168.4.1	192.168.2.5
Jan 15, 2025 02:58:51.691091061 CET	50022	445	192.168.2.5	38.242.199.232
Jan 15, 2025 02:58:51.695919991 CET	445	50022	38.242.199.232	192.168.2.5
Jan 15, 2025 02:58:51.696002007 CET	50022	445	192.168.2.5	38.242.199.232
Jan 15, 2025 02:58:51.696014881 CET	50022	445	192.168.2.5	38.242.199.232
Jan 15, 2025 02:58:51.696099043 CET	50023	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.700889111 CET	445	50023	38.242.199.1	192.168.2.5
Jan 15, 2025 02:58:51.700927973 CET	445	50022	38.242.199.232	192.168.2.5
Jan 15, 2025 02:58:51.701103926 CET	50022	445	192.168.2.5	38.242.199.232
Jan 15, 2025 02:58:51.701198101 CET	50023	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.701376915 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.706187963 CET	445	50023	38.242.199.1	192.168.2.5
Jan 15, 2025 02:58:51.706199884 CET	445	50024	38.242.199.1	192.168.2.5
Jan 15, 2025 02:58:51.706252098 CET	50023	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.706285000 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.706312895 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:58:51.711148977 CET	445	50024	38.242.199.1	192.168.2.5
Jan 15, 2025 02:58:52.929212093 CET	445	49711	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:52.929296017 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:52.929349899 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:52.929406881 CET	49711	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:52.934118986 CET	445	49711	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:52.934130907 CET	445	49711	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:53.707093000 CET	50057	445	192.168.2.5	34.28.85.153
Jan 15, 2025 02:58:53.711977005 CET	445	50057	34.28.85.153	192.168.2.5
Jan 15, 2025 02:58:53.712161064 CET	50057	445	192.168.2.5	34.28.85.153
Jan 15, 2025 02:58:53.712342978 CET	50057	445	192.168.2.5	34.28.85.153
Jan 15, 2025 02:58:53.712579966 CET	50058	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.717370987 CET	445	50058	34.28.85.1	192.168.2.5
Jan 15, 2025 02:58:53.717386961 CET	445	50057	34.28.85.153	192.168.2.5
Jan 15, 2025 02:58:53.717478037 CET	50057	445	192.168.2.5	34.28.85.153
Jan 15, 2025 02:58:53.717494011 CET	50058	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.717545033 CET	50058	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.717895031 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.722460985 CET	445	50058	34.28.85.1	192.168.2.5
Jan 15, 2025 02:58:53.722548008 CET	50058	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.722678900 CET	445	50059	34.28.85.1	192.168.2.5
Jan 15, 2025 02:58:53.722738981 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.722770929 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:58:53.727488995 CET	445	50059	34.28.85.1	192.168.2.5
Jan 15, 2025 02:58:54.946738005 CET	445	49737	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:54.946903944 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:54.946970940 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:54.947043896 CET	49737	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:54.951796055 CET	445	49737	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:54.951827049 CET	445	49737	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:55.722512960 CET	50091	445	192.168.2.5	117.2.101.56
Jan 15, 2025 02:58:55.727375984 CET	445	50091	117.2.101.56	192.168.2.5
Jan 15, 2025 02:58:55.727471113 CET	50091	445	192.168.2.5	117.2.101.56
Jan 15, 2025 02:58:55.727505922 CET	50091	445	192.168.2.5	117.2.101.56
Jan 15, 2025 02:58:55.727699995 CET	50093	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.732561111 CET	445	50093	117.2.101.1	192.168.2.5
Jan 15, 2025 02:58:55.732574940 CET	445	50091	117.2.101.56	192.168.2.5
Jan 15, 2025 02:58:55.732681990 CET	50093	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.732681990 CET	50091	445	192.168.2.5	117.2.101.56
Jan 15, 2025 02:58:55.733163118 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.737627029 CET	445	50093	117.2.101.1	192.168.2.5
Jan 15, 2025 02:58:55.737711906 CET	50093	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.738003016 CET	445	50094	117.2.101.1	192.168.2.5
Jan 15, 2025 02:58:55.738071918 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.738116026 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:58:55.742883921 CET	445	50094	117.2.101.1	192.168.2.5
Jan 15, 2025 02:58:55.941154957 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:55.946099997 CET	445	50100	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:55.946331978 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:55.946358919 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:58:55.951116085 CET	445	50100	167.35.109.1	192.168.2.5
Jan 15, 2025 02:58:56.958698988 CET	445	49761	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:56.958854914 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:56.958919048 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:56.958992958 CET	49761	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:56.963850975 CET	445	49761	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:56.963872910 CET	445	49761	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:57.738341093 CET	50109	445	192.168.2.5	48.111.230.181
Jan 15, 2025 02:58:57.743119001 CET	445	50109	48.111.230.181	192.168.2.5
Jan 15, 2025 02:58:57.743246078 CET	50109	445	192.168.2.5	48.111.230.181
Jan 15, 2025 02:58:57.743385077 CET	50109	445	192.168.2.5	48.111.230.181
Jan 15, 2025 02:58:57.743762016 CET	50110	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.748264074 CET	445	50109	48.111.230.181	192.168.2.5
Jan 15, 2025 02:58:57.748357058 CET	50109	445	192.168.2.5	48.111.230.181
Jan 15, 2025 02:58:57.748589993 CET	445	50110	48.111.230.1	192.168.2.5
Jan 15, 2025 02:58:57.748670101 CET	50110	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.748748064 CET	50110	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.749165058 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.753535986 CET	445	50110	48.111.230.1	192.168.2.5
Jan 15, 2025 02:58:57.753699064 CET	50110	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.754009008 CET	445	50111	48.111.230.1	192.168.2.5
Jan 15, 2025 02:58:57.754080057 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.754121065 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:58:57.758881092 CET	445	50111	48.111.230.1	192.168.2.5
Jan 15, 2025 02:58:57.956892967 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:57.961776972 CET	445	50113	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:57.961860895 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:57.961957932 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:58:57.966743946 CET	445	50113	5.92.127.1	192.168.2.5
Jan 15, 2025 02:58:59.009268999 CET	445	49784	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:59.012890100 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:59.012936115 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:59.013011932 CET	49784	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:58:59.017764091 CET	445	49784	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:59.017837048 CET	445	49784	40.92.175.1	192.168.2.5
Jan 15, 2025 02:58:59.753937960 CET	50123	445	192.168.2.5	75.199.66.17
Jan 15, 2025 02:58:59.758758068 CET	445	50123	75.199.66.17	192.168.2.5
Jan 15, 2025 02:58:59.758843899 CET	50123	445	192.168.2.5	75.199.66.17
Jan 15, 2025 02:58:59.758910894 CET	50123	445	192.168.2.5	75.199.66.17
Jan 15, 2025 02:58:59.759174109 CET	50124	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.763885021 CET	445	50123	75.199.66.17	192.168.2.5
Jan 15, 2025 02:58:59.763951063 CET	50123	445	192.168.2.5	75.199.66.17
Jan 15, 2025 02:58:59.764002085 CET	445	50124	75.199.66.1	192.168.2.5
Jan 15, 2025 02:58:59.764081955 CET	50124	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.764132977 CET	50124	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.764559031 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.769094944 CET	445	50124	75.199.66.1	192.168.2.5
Jan 15, 2025 02:58:59.769167900 CET	50124	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.769376040 CET	445	50125	75.199.66.1	192.168.2.5
Jan 15, 2025 02:58:59.769448996 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.769463062 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:58:59.774296999 CET	445	50125	75.199.66.1	192.168.2.5
Jan 15, 2025 02:58:59.972235918 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:59.976990938 CET	445	50127	161.7.75.1	192.168.2.5
Jan 15, 2025 02:58:59.977086067 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:59.977142096 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:58:59.981895924 CET	445	50127	161.7.75.1	192.168.2.5
Jan 15, 2025 02:59:00.972453117 CET	445	49808	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:00.974370956 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:00.974426985 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:00.974499941 CET	49808	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:00.979422092 CET	445	49808	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:00.979433060 CET	445	49808	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:01.803594112 CET	50136	445	192.168.2.5	76.182.197.189
Jan 15, 2025 02:59:01.808383942 CET	445	50136	76.182.197.189	192.168.2.5
Jan 15, 2025 02:59:01.808481932 CET	50136	445	192.168.2.5	76.182.197.189
Jan 15, 2025 02:59:01.810055017 CET	50136	445	192.168.2.5	76.182.197.189
Jan 15, 2025 02:59:01.810252905 CET	50137	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.814934015 CET	445	50136	76.182.197.189	192.168.2.5
Jan 15, 2025 02:59:01.815006971 CET	50136	445	192.168.2.5	76.182.197.189
Jan 15, 2025 02:59:01.815077066 CET	445	50137	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:01.815140009 CET	50137	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.815529108 CET	50137	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.815927029 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.820370913 CET	445	50137	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:01.820449114 CET	50137	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.820791006 CET	445	50138	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:01.820853949 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.823900938 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:01.828722000 CET	445	50138	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:02.041228056 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:02.046152115 CET	445	50141	40.92.175.1	192.168.2.5
Jan 15, 2025 02:59:02.046277046 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:02.062638998 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:02.067451000 CET	445	50141	40.92.175.1	192.168.2.5
Jan 15, 2025 02:59:03.785015106 CET	50151	445	192.168.2.5	30.129.64.110
Jan 15, 2025 02:59:03.789851904 CET	445	50151	30.129.64.110	192.168.2.5
Jan 15, 2025 02:59:03.790481091 CET	50151	445	192.168.2.5	30.129.64.110
Jan 15, 2025 02:59:03.790510893 CET	50151	445	192.168.2.5	30.129.64.110
Jan 15, 2025 02:59:03.790700912 CET	50152	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.795569897 CET	445	50151	30.129.64.110	192.168.2.5
Jan 15, 2025 02:59:03.795584917 CET	445	50152	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:03.795676947 CET	50151	445	192.168.2.5	30.129.64.110
Jan 15, 2025 02:59:03.795743942 CET	50152	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.795881987 CET	50152	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.796184063 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.800769091 CET	445	50152	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:03.801076889 CET	445	50153	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:03.801192999 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.801213980 CET	50152	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.801268101 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:03.806044102 CET	445	50153	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:03.987834930 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:03.992738962 CET	445	50155	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:03.992830038 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:03.992888927 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:03.997652054 CET	445	50155	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:04.988100052 CET	445	49879	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:04.988223076 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:04.988289118 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:04.988346100 CET	49879	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:04.993040085 CET	445	49879	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:04.993177891 CET	445	49879	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:05.800668955 CET	50164	445	192.168.2.5	124.91.26.128
Jan 15, 2025 02:59:05.805706024 CET	445	50164	124.91.26.128	192.168.2.5
Jan 15, 2025 02:59:05.805819988 CET	50164	445	192.168.2.5	124.91.26.128
Jan 15, 2025 02:59:05.805819988 CET	50164	445	192.168.2.5	124.91.26.128
Jan 15, 2025 02:59:05.805973053 CET	50165	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.810792923 CET	445	50165	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:05.810806036 CET	445	50164	124.91.26.128	192.168.2.5
Jan 15, 2025 02:59:05.810851097 CET	50165	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.810960054 CET	50164	445	192.168.2.5	124.91.26.128
Jan 15, 2025 02:59:05.810964108 CET	50165	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.814168930 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.815768003 CET	445	50165	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:05.815874100 CET	50165	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.819055080 CET	445	50166	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:05.819125891 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.820954084 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:05.825788975 CET	445	50166	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:07.019622087 CET	445	49916	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:07.019700050 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:07.019753933 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:07.019792080 CET	49916	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:07.024616957 CET	445	49916	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:07.024646044 CET	445	49916	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:07.675585032 CET	50178	445	192.168.2.5	197.84.254.223
Jan 15, 2025 02:59:07.680434942 CET	445	50178	197.84.254.223	192.168.2.5
Jan 15, 2025 02:59:07.680531025 CET	50178	445	192.168.2.5	197.84.254.223
Jan 15, 2025 02:59:07.680557013 CET	50178	445	192.168.2.5	197.84.254.223
Jan 15, 2025 02:59:07.680679083 CET	50179	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.685566902 CET	445	50178	197.84.254.223	192.168.2.5
Jan 15, 2025 02:59:07.685584068 CET	445	50179	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:07.685630083 CET	50178	445	192.168.2.5	197.84.254.223
Jan 15, 2025 02:59:07.685662985 CET	50179	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.685740948 CET	50179	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.686067104 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.690632105 CET	445	50179	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:07.690700054 CET	50179	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.690910101 CET	445	50180	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:07.690985918 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.691055059 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:07.695928097 CET	445	50180	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:08.003551960 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:08.009644985 CET	445	50182	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:08.009887934 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:08.009887934 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:08.014710903 CET	445	50182	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:09.052521944 CET	445	49952	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:09.052601099 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:09.052633047 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:09.052668095 CET	49952	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:09.057421923 CET	445	49952	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:09.057434082 CET	445	49952	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:09.425848961 CET	50191	445	192.168.2.5	79.125.115.104
Jan 15, 2025 02:59:09.430674076 CET	445	50191	79.125.115.104	192.168.2.5
Jan 15, 2025 02:59:09.430758953 CET	50191	445	192.168.2.5	79.125.115.104
Jan 15, 2025 02:59:09.430815935 CET	50191	445	192.168.2.5	79.125.115.104
Jan 15, 2025 02:59:09.431010008 CET	50192	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.435684919 CET	445	50191	79.125.115.104	192.168.2.5
Jan 15, 2025 02:59:09.435750008 CET	50191	445	192.168.2.5	79.125.115.104
Jan 15, 2025 02:59:09.435817003 CET	445	50192	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:09.435883999 CET	50192	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.435977936 CET	50192	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.436306000 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.440778017 CET	445	50192	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:09.440830946 CET	50192	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.441106081 CET	445	50193	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:09.441163063 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.441198111 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:09.445947886 CET	445	50193	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:09.459031105 CET	445	49960	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:09.459115028 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:09.459150076 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:09.459187984 CET	49960	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:09.463870049 CET	445	49960	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:09.463891029 CET	445	49960	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:10.034914017 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:10.039930105 CET	445	50198	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:10.040698051 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:10.040736914 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:10.045759916 CET	445	50198	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:11.066689014 CET	50203	445	192.168.2.5	45.33.237.189
Jan 15, 2025 02:59:11.269731045 CET	445	49991	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:11.271933079 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:11.272032976 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:11.272058964 CET	49991	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:11.274719000 CET	445	50203	45.33.237.189	192.168.2.5
Jan 15, 2025 02:59:11.274995089 CET	50203	445	192.168.2.5	45.33.237.189
Jan 15, 2025 02:59:11.277857065 CET	445	49991	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:11.277861118 CET	445	49991	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:11.299959898 CET	50203	445	192.168.2.5	45.33.237.189
Jan 15, 2025 02:59:11.300215006 CET	50204	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.307174921 CET	445	50203	45.33.237.189	192.168.2.5
Jan 15, 2025 02:59:11.307246923 CET	50203	445	192.168.2.5	45.33.237.189
Jan 15, 2025 02:59:11.307559013 CET	445	50204	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:11.307629108 CET	50204	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.307737112 CET	50204	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.308123112 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.312643051 CET	445	50204	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:11.312954903 CET	445	50206	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:11.313019991 CET	50204	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.313050985 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.314743996 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:11.319576025 CET	445	50206	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:12.066071987 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:12.071933031 CET	445	50210	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:12.072037935 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:12.072091103 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:12.079560995 CET	445	50210	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:12.472146034 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:12.476973057 CET	445	50214	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:12.477138996 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:12.477159977 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:12.481986046 CET	445	50214	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:12.597856045 CET	50216	445	192.168.2.5	147.140.226.125
Jan 15, 2025 02:59:12.603166103 CET	445	50216	147.140.226.125	192.168.2.5
Jan 15, 2025 02:59:12.606405020 CET	50216	445	192.168.2.5	147.140.226.125
Jan 15, 2025 02:59:12.606441975 CET	50216	445	192.168.2.5	147.140.226.125
Jan 15, 2025 02:59:12.606614113 CET	50217	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.611392975 CET	445	50217	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:12.611407995 CET	445	50216	147.140.226.125	192.168.2.5
Jan 15, 2025 02:59:12.611474991 CET	50216	445	192.168.2.5	147.140.226.125
Jan 15, 2025 02:59:12.611489058 CET	50217	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.611565113 CET	50217	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.611809015 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.616597891 CET	445	50218	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:12.618381977 CET	445	50217	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:12.618401051 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.618434906 CET	50217	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.618449926 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:12.623191118 CET	445	50218	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:13.065460920 CET	445	50206	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:13.065888882 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:13.065980911 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:13.065980911 CET	50206	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:13.070777893 CET	445	50206	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:13.070786953 CET	445	50206	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:13.082223892 CET	445	50024	38.242.199.1	192.168.2.5
Jan 15, 2025 02:59:13.082422018 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:13.082492113 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:13.082492113 CET	50024	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:13.087385893 CET	445	50024	38.242.199.1	192.168.2.5
Jan 15, 2025 02:59:13.087398052 CET	445	50024	38.242.199.1	192.168.2.5
Jan 15, 2025 02:59:14.019648075 CET	50228	445	192.168.2.5	150.215.1.80
Jan 15, 2025 02:59:14.024460077 CET	445	50228	150.215.1.80	192.168.2.5
Jan 15, 2025 02:59:14.024580002 CET	50228	445	192.168.2.5	150.215.1.80
Jan 15, 2025 02:59:14.024617910 CET	50228	445	192.168.2.5	150.215.1.80
Jan 15, 2025 02:59:14.024805069 CET	50229	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.029607058 CET	445	50228	150.215.1.80	192.168.2.5
Jan 15, 2025 02:59:14.029675961 CET	50228	445	192.168.2.5	150.215.1.80
Jan 15, 2025 02:59:14.029732943 CET	445	50229	150.215.1.1	192.168.2.5
Jan 15, 2025 02:59:14.029799938 CET	50229	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.029887915 CET	50229	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.030203104 CET	50230	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.035952091 CET	445	50229	150.215.1.1	192.168.2.5
Jan 15, 2025 02:59:14.035981894 CET	445	50230	150.215.1.1	192.168.2.5
Jan 15, 2025 02:59:14.036066055 CET	50229	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.036135912 CET	50230	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.036333084 CET	50230	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:14.041266918 CET	445	50230	150.215.1.1	192.168.2.5
Jan 15, 2025 02:59:14.284686089 CET	50233	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:14.289549112 CET	445	50233	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:14.289652109 CET	50233	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:14.289689064 CET	50233	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:14.294924974 CET	445	50233	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:15.103344917 CET	445	50059	34.28.85.1	192.168.2.5
Jan 15, 2025 02:59:15.103506088 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:15.103506088 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:15.103602886 CET	50059	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:15.108302116 CET	445	50059	34.28.85.1	192.168.2.5
Jan 15, 2025 02:59:15.108347893 CET	445	50059	34.28.85.1	192.168.2.5
Jan 15, 2025 02:59:15.347649097 CET	50240	445	192.168.2.5	29.183.147.247
Jan 15, 2025 02:59:15.352502108 CET	445	50240	29.183.147.247	192.168.2.5
Jan 15, 2025 02:59:15.352585077 CET	50240	445	192.168.2.5	29.183.147.247
Jan 15, 2025 02:59:15.352616072 CET	50240	445	192.168.2.5	29.183.147.247
Jan 15, 2025 02:59:15.352750063 CET	50241	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.357657909 CET	445	50241	29.183.147.1	192.168.2.5
Jan 15, 2025 02:59:15.357758045 CET	50241	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.357758045 CET	50241	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.358098984 CET	50242	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.358134985 CET	445	50240	29.183.147.247	192.168.2.5
Jan 15, 2025 02:59:15.358194113 CET	50240	445	192.168.2.5	29.183.147.247
Jan 15, 2025 02:59:15.362685919 CET	445	50241	29.183.147.1	192.168.2.5
Jan 15, 2025 02:59:15.362741947 CET	50241	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.363056898 CET	445	50242	29.183.147.1	192.168.2.5
Jan 15, 2025 02:59:15.363125086 CET	50242	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.363172054 CET	50242	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:15.367938995 CET	445	50242	29.183.147.1	192.168.2.5
Jan 15, 2025 02:59:16.081984043 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:16.086878061 CET	445	50248	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:16.087033987 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:16.087033987 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:16.092302084 CET	445	50248	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:16.097573042 CET	50249	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:16.102560997 CET	445	50249	38.242.199.1	192.168.2.5
Jan 15, 2025 02:59:16.102647066 CET	50249	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:16.102698088 CET	50249	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:16.107661009 CET	445	50249	38.242.199.1	192.168.2.5
Jan 15, 2025 02:59:16.582773924 CET	50254	445	192.168.2.5	140.58.80.103
Jan 15, 2025 02:59:16.587594986 CET	445	50254	140.58.80.103	192.168.2.5
Jan 15, 2025 02:59:16.587718964 CET	50254	445	192.168.2.5	140.58.80.103
Jan 15, 2025 02:59:16.587718964 CET	50254	445	192.168.2.5	140.58.80.103
Jan 15, 2025 02:59:16.587960005 CET	50255	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.592736959 CET	445	50255	140.58.80.1	192.168.2.5
Jan 15, 2025 02:59:16.592746973 CET	445	50254	140.58.80.103	192.168.2.5
Jan 15, 2025 02:59:16.592808962 CET	50255	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.592845917 CET	50254	445	192.168.2.5	140.58.80.103
Jan 15, 2025 02:59:16.593012094 CET	50255	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.594798088 CET	50256	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.597815037 CET	445	50255	140.58.80.1	192.168.2.5
Jan 15, 2025 02:59:16.597883940 CET	50255	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.599863052 CET	445	50256	140.58.80.1	192.168.2.5
Jan 15, 2025 02:59:16.599940062 CET	50256	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.599977970 CET	50256	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:16.604824066 CET	445	50256	140.58.80.1	192.168.2.5
Jan 15, 2025 02:59:17.082205057 CET	445	50094	117.2.101.1	192.168.2.5
Jan 15, 2025 02:59:17.082335949 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:17.082473993 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:17.082530022 CET	50094	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:17.088541031 CET	445	50094	117.2.101.1	192.168.2.5
Jan 15, 2025 02:59:17.088571072 CET	445	50094	117.2.101.1	192.168.2.5
Jan 15, 2025 02:59:17.301559925 CET	445	50100	167.35.109.1	192.168.2.5
Jan 15, 2025 02:59:17.301641941 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:59:17.301717997 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:59:17.301743984 CET	50100	445	192.168.2.5	167.35.109.1
Jan 15, 2025 02:59:17.306505919 CET	445	50100	167.35.109.1	192.168.2.5
Jan 15, 2025 02:59:17.306521893 CET	445	50100	167.35.109.1	192.168.2.5
Jan 15, 2025 02:59:17.363219023 CET	50262	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.368216038 CET	445	50262	167.35.109.2	192.168.2.5
Jan 15, 2025 02:59:17.368339062 CET	50262	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.368426085 CET	50262	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.369096994 CET	50263	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.373281956 CET	445	50262	167.35.109.2	192.168.2.5
Jan 15, 2025 02:59:17.373347998 CET	50262	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.374011040 CET	445	50263	167.35.109.2	192.168.2.5
Jan 15, 2025 02:59:17.374084949 CET	50263	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.374217987 CET	50263	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:17.379028082 CET	445	50263	167.35.109.2	192.168.2.5
Jan 15, 2025 02:59:17.738291025 CET	50265	445	192.168.2.5	111.209.240.246
Jan 15, 2025 02:59:17.743386030 CET	445	50265	111.209.240.246	192.168.2.5
Jan 15, 2025 02:59:17.743597984 CET	50265	445	192.168.2.5	111.209.240.246
Jan 15, 2025 02:59:17.743643999 CET	50265	445	192.168.2.5	111.209.240.246
Jan 15, 2025 02:59:17.743789911 CET	50266	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.748636007 CET	445	50265	111.209.240.246	192.168.2.5
Jan 15, 2025 02:59:17.748650074 CET	445	50266	111.209.240.1	192.168.2.5
Jan 15, 2025 02:59:17.748702049 CET	50265	445	192.168.2.5	111.209.240.246
Jan 15, 2025 02:59:17.748727083 CET	50266	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.748859882 CET	50266	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.749294996 CET	50267	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.754740953 CET	445	50267	111.209.240.1	192.168.2.5
Jan 15, 2025 02:59:17.754928112 CET	445	50266	111.209.240.1	192.168.2.5
Jan 15, 2025 02:59:17.755013943 CET	50266	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.755033016 CET	50267	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.755033016 CET	50267	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:17.760040998 CET	445	50267	111.209.240.1	192.168.2.5
Jan 15, 2025 02:59:17.835213900 CET	445	50248	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:17.835336924 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:17.835336924 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:17.835381031 CET	50248	445	192.168.2.5	45.33.237.1
Jan 15, 2025 02:59:17.841217041 CET	445	50248	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:17.841387033 CET	445	50248	45.33.237.1	192.168.2.5
Jan 15, 2025 02:59:17.894140959 CET	50268	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.898955107 CET	445	50268	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:17.899075031 CET	50268	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.899158955 CET	50268	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.899503946 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.904366016 CET	445	50268	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:17.904438019 CET	50268	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.904522896 CET	445	50269	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:17.904577017 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.904617071 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:17.909651995 CET	445	50269	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:18.112935066 CET	50274	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:18.117822886 CET	445	50274	34.28.85.1	192.168.2.5
Jan 15, 2025 02:59:18.117973089 CET	50274	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:18.117973089 CET	50274	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:18.122937918 CET	445	50274	34.28.85.1	192.168.2.5
Jan 15, 2025 02:59:18.816509008 CET	50281	445	192.168.2.5	219.14.212.211
Jan 15, 2025 02:59:18.821415901 CET	445	50281	219.14.212.211	192.168.2.5
Jan 15, 2025 02:59:18.821583986 CET	50281	445	192.168.2.5	219.14.212.211
Jan 15, 2025 02:59:18.821583986 CET	50281	445	192.168.2.5	219.14.212.211
Jan 15, 2025 02:59:18.821743011 CET	50282	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.826458931 CET	445	50281	219.14.212.211	192.168.2.5
Jan 15, 2025 02:59:18.826494932 CET	445	50282	219.14.212.1	192.168.2.5
Jan 15, 2025 02:59:18.826541901 CET	50281	445	192.168.2.5	219.14.212.211
Jan 15, 2025 02:59:18.826567888 CET	50282	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.826683998 CET	50282	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.827065945 CET	50283	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.831470013 CET	445	50282	219.14.212.1	192.168.2.5
Jan 15, 2025 02:59:18.831523895 CET	50282	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.831860065 CET	445	50283	219.14.212.1	192.168.2.5
Jan 15, 2025 02:59:18.831916094 CET	50283	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.831953049 CET	50283	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:18.836709023 CET	445	50283	219.14.212.1	192.168.2.5
Jan 15, 2025 02:59:19.099870920 CET	445	50111	48.111.230.1	192.168.2.5
Jan 15, 2025 02:59:19.099950075 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:19.100042105 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:19.100079060 CET	50111	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:19.104851961 CET	445	50111	48.111.230.1	192.168.2.5
Jan 15, 2025 02:59:19.104865074 CET	445	50111	48.111.230.1	192.168.2.5
Jan 15, 2025 02:59:19.316484928 CET	445	50113	5.92.127.1	192.168.2.5
Jan 15, 2025 02:59:19.316570997 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:59:19.316643000 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:59:19.316699028 CET	50113	445	192.168.2.5	5.92.127.1
Jan 15, 2025 02:59:19.322556973 CET	445	50113	5.92.127.1	192.168.2.5
Jan 15, 2025 02:59:19.322609901 CET	445	50113	5.92.127.1	192.168.2.5
Jan 15, 2025 02:59:19.378947973 CET	50285	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.383815050 CET	445	50285	5.92.127.2	192.168.2.5
Jan 15, 2025 02:59:19.383886099 CET	50285	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.383928061 CET	50285	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.384360075 CET	50286	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.388876915 CET	445	50285	5.92.127.2	192.168.2.5
Jan 15, 2025 02:59:19.388946056 CET	50285	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.389247894 CET	445	50286	5.92.127.2	192.168.2.5
Jan 15, 2025 02:59:19.389311075 CET	50286	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.389348030 CET	50286	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:19.394103050 CET	445	50286	5.92.127.2	192.168.2.5
Jan 15, 2025 02:59:19.618165970 CET	445	50269	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:19.618248940 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:19.618304968 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:19.618331909 CET	50269	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:19.623029947 CET	445	50269	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:19.623075008 CET	445	50269	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:19.831896067 CET	50292	445	192.168.2.5	170.151.136.20
Jan 15, 2025 02:59:19.837913036 CET	445	50292	170.151.136.20	192.168.2.5
Jan 15, 2025 02:59:19.838006020 CET	50292	445	192.168.2.5	170.151.136.20
Jan 15, 2025 02:59:19.838054895 CET	50292	445	192.168.2.5	170.151.136.20
Jan 15, 2025 02:59:19.838217974 CET	50293	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.843297958 CET	445	50293	170.151.136.1	192.168.2.5
Jan 15, 2025 02:59:19.843369961 CET	50293	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.843388081 CET	50293	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.843405962 CET	445	50292	170.151.136.20	192.168.2.5
Jan 15, 2025 02:59:19.843858957 CET	50294	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.843883038 CET	50292	445	192.168.2.5	170.151.136.20
Jan 15, 2025 02:59:19.848315954 CET	445	50293	170.151.136.1	192.168.2.5
Jan 15, 2025 02:59:19.848326921 CET	445	50293	170.151.136.1	192.168.2.5
Jan 15, 2025 02:59:19.848376989 CET	50293	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.848648071 CET	445	50294	170.151.136.1	192.168.2.5
Jan 15, 2025 02:59:19.848711967 CET	50294	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.848753929 CET	50294	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:19.853549957 CET	445	50294	170.151.136.1	192.168.2.5
Jan 15, 2025 02:59:20.097399950 CET	50295	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:20.102314949 CET	445	50295	117.2.101.1	192.168.2.5
Jan 15, 2025 02:59:20.102442980 CET	50295	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:20.102511883 CET	50295	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:20.107283115 CET	445	50295	117.2.101.1	192.168.2.5
Jan 15, 2025 02:59:20.769567013 CET	50301	445	192.168.2.5	219.202.225.135
Jan 15, 2025 02:59:20.774451971 CET	445	50301	219.202.225.135	192.168.2.5
Jan 15, 2025 02:59:20.778422117 CET	50301	445	192.168.2.5	219.202.225.135
Jan 15, 2025 02:59:20.778497934 CET	50301	445	192.168.2.5	219.202.225.135
Jan 15, 2025 02:59:20.778678894 CET	50302	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.783421993 CET	445	50301	219.202.225.135	192.168.2.5
Jan 15, 2025 02:59:20.783493996 CET	445	50302	219.202.225.1	192.168.2.5
Jan 15, 2025 02:59:20.783559084 CET	50301	445	192.168.2.5	219.202.225.135
Jan 15, 2025 02:59:20.783591986 CET	50302	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.783665895 CET	50302	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.783931971 CET	50303	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.788593054 CET	445	50302	219.202.225.1	192.168.2.5
Jan 15, 2025 02:59:20.788723946 CET	445	50303	219.202.225.1	192.168.2.5
Jan 15, 2025 02:59:20.788794994 CET	50302	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.788816929 CET	50303	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.788861036 CET	50303	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:20.793603897 CET	445	50303	219.202.225.1	192.168.2.5
Jan 15, 2025 02:59:21.175993919 CET	445	50125	75.199.66.1	192.168.2.5
Jan 15, 2025 02:59:21.176208973 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:21.176208973 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:21.176208973 CET	50125	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:21.181181908 CET	445	50125	75.199.66.1	192.168.2.5
Jan 15, 2025 02:59:21.181199074 CET	445	50125	75.199.66.1	192.168.2.5
Jan 15, 2025 02:59:21.317580938 CET	445	50127	161.7.75.1	192.168.2.5
Jan 15, 2025 02:59:21.317650080 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:59:21.317771912 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:59:21.317845106 CET	50127	445	192.168.2.5	161.7.75.1
Jan 15, 2025 02:59:21.322516918 CET	445	50127	161.7.75.1	192.168.2.5
Jan 15, 2025 02:59:21.322594881 CET	445	50127	161.7.75.1	192.168.2.5
Jan 15, 2025 02:59:21.378901958 CET	50309	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.383739948 CET	445	50309	161.7.75.2	192.168.2.5
Jan 15, 2025 02:59:21.383832932 CET	50309	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.383876085 CET	50309	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.384335995 CET	50310	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.388762951 CET	445	50309	161.7.75.2	192.168.2.5
Jan 15, 2025 02:59:21.388835907 CET	50309	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.389137983 CET	445	50310	161.7.75.2	192.168.2.5
Jan 15, 2025 02:59:21.389208078 CET	50310	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.389266968 CET	50310	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:21.394023895 CET	445	50310	161.7.75.2	192.168.2.5
Jan 15, 2025 02:59:21.644644976 CET	50311	445	192.168.2.5	122.200.21.252
Jan 15, 2025 02:59:21.649418116 CET	445	50311	122.200.21.252	192.168.2.5
Jan 15, 2025 02:59:21.649524927 CET	50311	445	192.168.2.5	122.200.21.252
Jan 15, 2025 02:59:21.656454086 CET	50311	445	192.168.2.5	122.200.21.252
Jan 15, 2025 02:59:21.656692982 CET	50312	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.661323071 CET	445	50311	122.200.21.252	192.168.2.5
Jan 15, 2025 02:59:21.661397934 CET	50311	445	192.168.2.5	122.200.21.252
Jan 15, 2025 02:59:21.661478043 CET	445	50312	122.200.21.1	192.168.2.5
Jan 15, 2025 02:59:21.661537886 CET	50312	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.661578894 CET	50312	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.661962032 CET	50313	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.666476011 CET	445	50312	122.200.21.1	192.168.2.5
Jan 15, 2025 02:59:21.666529894 CET	50312	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.666810036 CET	445	50313	122.200.21.1	192.168.2.5
Jan 15, 2025 02:59:21.666862011 CET	50313	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.666898966 CET	50313	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:21.671731949 CET	445	50313	122.200.21.1	192.168.2.5
Jan 15, 2025 02:59:22.113684893 CET	50319	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:22.118532896 CET	445	50319	48.111.230.1	192.168.2.5
Jan 15, 2025 02:59:22.118623018 CET	50319	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:22.118664980 CET	50319	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:22.123440981 CET	445	50319	48.111.230.1	192.168.2.5
Jan 15, 2025 02:59:22.472610950 CET	50320	445	192.168.2.5	209.178.43.113
Jan 15, 2025 02:59:22.477463961 CET	445	50320	209.178.43.113	192.168.2.5
Jan 15, 2025 02:59:22.477544069 CET	50320	445	192.168.2.5	209.178.43.113
Jan 15, 2025 02:59:22.477576971 CET	50320	445	192.168.2.5	209.178.43.113
Jan 15, 2025 02:59:22.477869034 CET	50321	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.482650995 CET	445	50321	209.178.43.1	192.168.2.5
Jan 15, 2025 02:59:22.482701063 CET	445	50320	209.178.43.113	192.168.2.5
Jan 15, 2025 02:59:22.482716084 CET	50321	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.482728958 CET	50321	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.482758045 CET	50320	445	192.168.2.5	209.178.43.113
Jan 15, 2025 02:59:22.483038902 CET	50322	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.487601042 CET	445	50321	209.178.43.1	192.168.2.5
Jan 15, 2025 02:59:22.487673998 CET	50321	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.487798929 CET	445	50322	209.178.43.1	192.168.2.5
Jan 15, 2025 02:59:22.487862110 CET	50322	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.488096952 CET	50322	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:22.492897987 CET	445	50322	209.178.43.1	192.168.2.5
Jan 15, 2025 02:59:22.628511906 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:22.633389950 CET	445	50327	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:22.633481026 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:22.633496046 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:22.638279915 CET	445	50327	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:23.175971031 CET	445	50138	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:23.176045895 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:23.176096916 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:23.176141977 CET	50138	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:23.181091070 CET	445	50138	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:23.181220055 CET	445	50138	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:23.238389969 CET	50329	445	192.168.2.5	48.223.148.157
Jan 15, 2025 02:59:23.243196964 CET	445	50329	48.223.148.157	192.168.2.5
Jan 15, 2025 02:59:23.243295908 CET	50329	445	192.168.2.5	48.223.148.157
Jan 15, 2025 02:59:23.243328094 CET	50329	445	192.168.2.5	48.223.148.157
Jan 15, 2025 02:59:23.243534088 CET	50330	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.248226881 CET	445	50329	48.223.148.157	192.168.2.5
Jan 15, 2025 02:59:23.248274088 CET	445	50330	48.223.148.1	192.168.2.5
Jan 15, 2025 02:59:23.248310089 CET	50329	445	192.168.2.5	48.223.148.157
Jan 15, 2025 02:59:23.248368979 CET	50330	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.248461008 CET	50330	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.248801947 CET	50331	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.253304005 CET	445	50330	48.223.148.1	192.168.2.5
Jan 15, 2025 02:59:23.253376007 CET	50330	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.253664970 CET	445	50331	48.223.148.1	192.168.2.5
Jan 15, 2025 02:59:23.253725052 CET	50331	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.253752947 CET	50331	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:23.258522034 CET	445	50331	48.223.148.1	192.168.2.5
Jan 15, 2025 02:59:23.425493956 CET	445	50141	40.92.175.1	192.168.2.5
Jan 15, 2025 02:59:23.425632954 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:23.425755024 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:23.425837994 CET	50141	445	192.168.2.5	40.92.175.1
Jan 15, 2025 02:59:23.430540085 CET	445	50141	40.92.175.1	192.168.2.5
Jan 15, 2025 02:59:23.430617094 CET	445	50141	40.92.175.1	192.168.2.5
Jan 15, 2025 02:59:23.488249063 CET	50336	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.493215084 CET	445	50336	40.92.175.2	192.168.2.5
Jan 15, 2025 02:59:23.493297100 CET	50336	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.493356943 CET	50336	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.493748903 CET	50337	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.498833895 CET	445	50337	40.92.175.2	192.168.2.5
Jan 15, 2025 02:59:23.498904943 CET	50337	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.498934031 CET	50337	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.499797106 CET	445	50336	40.92.175.2	192.168.2.5
Jan 15, 2025 02:59:23.499852896 CET	50336	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:23.503770113 CET	445	50337	40.92.175.2	192.168.2.5
Jan 15, 2025 02:59:24.191215992 CET	50344	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:24.196052074 CET	445	50344	75.199.66.1	192.168.2.5
Jan 15, 2025 02:59:24.196172953 CET	50344	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:24.196208954 CET	50344	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:24.200958014 CET	445	50344	75.199.66.1	192.168.2.5
Jan 15, 2025 02:59:24.436860085 CET	445	50327	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:24.436930895 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:24.436966896 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:24.437004089 CET	50327	445	192.168.2.5	45.33.237.2
Jan 15, 2025 02:59:24.441838026 CET	445	50327	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:24.441849947 CET	445	50327	45.33.237.2	192.168.2.5
Jan 15, 2025 02:59:24.488065004 CET	50345	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.492973089 CET	445	50345	45.33.237.3	192.168.2.5
Jan 15, 2025 02:59:24.493065119 CET	50345	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.493149996 CET	50345	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.493609905 CET	50346	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.498431921 CET	445	50346	45.33.237.3	192.168.2.5
Jan 15, 2025 02:59:24.498516083 CET	50346	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.498840094 CET	50346	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.500304937 CET	445	50345	45.33.237.3	192.168.2.5
Jan 15, 2025 02:59:24.500535965 CET	445	50345	45.33.237.3	192.168.2.5
Jan 15, 2025 02:59:24.500586987 CET	50345	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:24.503671885 CET	445	50346	45.33.237.3	192.168.2.5
Jan 15, 2025 02:59:25.179893970 CET	445	50153	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:25.179966927 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:25.180000067 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:25.180047989 CET	50153	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:25.184767962 CET	445	50153	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:25.184783936 CET	445	50153	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:25.365478992 CET	445	50155	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:25.365576029 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:25.365631104 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:25.365698099 CET	50155	445	192.168.2.5	223.67.238.1
Jan 15, 2025 02:59:25.370424986 CET	445	50155	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:25.370446920 CET	445	50155	223.67.238.1	192.168.2.5
Jan 15, 2025 02:59:25.425687075 CET	50356	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.430608988 CET	445	50356	223.67.238.2	192.168.2.5
Jan 15, 2025 02:59:25.430716991 CET	50356	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.430759907 CET	50356	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.431152105 CET	50357	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.435643911 CET	445	50356	223.67.238.2	192.168.2.5
Jan 15, 2025 02:59:25.435705900 CET	50356	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.435945988 CET	445	50357	223.67.238.2	192.168.2.5
Jan 15, 2025 02:59:25.436005116 CET	50357	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.436049938 CET	50357	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:25.440821886 CET	445	50357	223.67.238.2	192.168.2.5
Jan 15, 2025 02:59:26.191360950 CET	50366	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:26.196211100 CET	445	50366	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:26.196372986 CET	50366	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:26.196372986 CET	50366	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:26.201176882 CET	445	50366	76.182.197.1	192.168.2.5
Jan 15, 2025 02:59:27.208117008 CET	445	50166	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:27.208234072 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:27.208266973 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:27.208319902 CET	50166	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:27.213078976 CET	445	50166	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:27.213087082 CET	445	50166	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:28.197130919 CET	50389	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:28.202290058 CET	445	50389	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:28.202531099 CET	50389	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:28.203269005 CET	50389	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:28.208137035 CET	445	50389	30.129.64.1	192.168.2.5
Jan 15, 2025 02:59:29.053234100 CET	445	50180	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:29.053308964 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:29.053350925 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:29.053401947 CET	50180	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:29.058264017 CET	445	50180	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:29.058294058 CET	445	50180	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:29.363970995 CET	445	50182	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:29.364126921 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:29.364191055 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:29.364238024 CET	50182	445	192.168.2.5	136.61.41.1
Jan 15, 2025 02:59:29.370157003 CET	445	50182	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:29.370191097 CET	445	50182	136.61.41.1	192.168.2.5
Jan 15, 2025 02:59:29.425622940 CET	50401	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.430572987 CET	445	50401	136.61.41.2	192.168.2.5
Jan 15, 2025 02:59:29.430696011 CET	50401	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.430743933 CET	50401	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.431083918 CET	50403	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.435724020 CET	445	50401	136.61.41.2	192.168.2.5
Jan 15, 2025 02:59:29.435810089 CET	50401	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.435945034 CET	445	50403	136.61.41.2	192.168.2.5
Jan 15, 2025 02:59:29.436014891 CET	50403	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.436078072 CET	50403	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:29.440910101 CET	445	50403	136.61.41.2	192.168.2.5
Jan 15, 2025 02:59:30.222296000 CET	50415	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:30.227384090 CET	445	50415	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:30.230465889 CET	50415	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:30.230556011 CET	50415	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:30.236421108 CET	445	50415	124.91.26.1	192.168.2.5
Jan 15, 2025 02:59:30.834233999 CET	445	50193	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:30.834346056 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:30.834414005 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:30.834471941 CET	50193	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:30.839320898 CET	445	50193	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:30.839335918 CET	445	50193	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:31.431802034 CET	445	50198	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:31.431943893 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:31.431977987 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:31.432022095 CET	50198	445	192.168.2.5	122.101.248.1
Jan 15, 2025 02:59:31.436755896 CET	445	50198	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:31.436765909 CET	445	50198	122.101.248.1	192.168.2.5
Jan 15, 2025 02:59:31.488114119 CET	50438	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.492935896 CET	445	50438	122.101.248.2	192.168.2.5
Jan 15, 2025 02:59:31.493036032 CET	50438	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.493094921 CET	50438	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.493525982 CET	50439	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.498373032 CET	445	50439	122.101.248.2	192.168.2.5
Jan 15, 2025 02:59:31.498507023 CET	50439	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.498581886 CET	50439	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.500341892 CET	445	50438	122.101.248.2	192.168.2.5
Jan 15, 2025 02:59:31.500375986 CET	445	50438	122.101.248.2	192.168.2.5
Jan 15, 2025 02:59:31.500432014 CET	50438	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:31.503431082 CET	445	50439	122.101.248.2	192.168.2.5
Jan 15, 2025 02:59:32.066030025 CET	50452	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:32.072978020 CET	445	50452	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:32.073124886 CET	50452	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:32.073167086 CET	50452	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:32.077995062 CET	445	50452	197.84.254.1	192.168.2.5
Jan 15, 2025 02:59:33.457611084 CET	445	50210	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:33.457706928 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:33.457757950 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:33.457794905 CET	50210	445	192.168.2.5	66.43.16.1
Jan 15, 2025 02:59:33.462697029 CET	445	50210	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:33.462749958 CET	445	50210	66.43.16.1	192.168.2.5
Jan 15, 2025 02:59:33.519418955 CET	50495	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.524414062 CET	445	50495	66.43.16.2	192.168.2.5
Jan 15, 2025 02:59:33.524545908 CET	50495	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.524604082 CET	50495	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.524899960 CET	50497	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.530237913 CET	445	50497	66.43.16.2	192.168.2.5
Jan 15, 2025 02:59:33.530307055 CET	50497	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.530363083 CET	50497	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.530385971 CET	445	50495	66.43.16.2	192.168.2.5
Jan 15, 2025 02:59:33.530494928 CET	50495	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:33.535114050 CET	445	50497	66.43.16.2	192.168.2.5
Jan 15, 2025 02:59:33.838351965 CET	445	50214	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:33.838474989 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:33.838531017 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:33.838582039 CET	50214	445	192.168.2.5	66.102.158.2
Jan 15, 2025 02:59:33.843358994 CET	445	50214	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:33.843374968 CET	445	50214	66.102.158.2	192.168.2.5
Jan 15, 2025 02:59:33.847203016 CET	50512	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:33.852058887 CET	445	50512	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:33.852134943 CET	50512	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:33.852159977 CET	50512	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:33.856888056 CET	445	50512	79.125.115.1	192.168.2.5
Jan 15, 2025 02:59:33.894315004 CET	50515	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.899238110 CET	445	50515	66.102.158.3	192.168.2.5
Jan 15, 2025 02:59:33.899346113 CET	50515	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.899347067 CET	50515	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.899804115 CET	50516	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.904316902 CET	445	50515	66.102.158.3	192.168.2.5
Jan 15, 2025 02:59:33.904328108 CET	445	50515	66.102.158.3	192.168.2.5
Jan 15, 2025 02:59:33.904392958 CET	50515	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.904668093 CET	445	50516	66.102.158.3	192.168.2.5
Jan 15, 2025 02:59:33.904728889 CET	50516	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.904747963 CET	50516	445	192.168.2.5	66.102.158.3
Jan 15, 2025 02:59:33.909476995 CET	445	50516	66.102.158.3	192.168.2.5
Jan 15, 2025 02:59:34.008553028 CET	445	50218	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:34.008650064 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:34.008712053 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:34.008769989 CET	50218	445	192.168.2.5	147.140.226.1
Jan 15, 2025 02:59:34.013485909 CET	445	50218	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:34.013540030 CET	445	50218	147.140.226.1	192.168.2.5
Jan 15, 2025 02:59:35.428261995 CET	445	50230	150.215.1.1	192.168.2.5
Jan 15, 2025 02:59:35.428332090 CET	50230	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:35.664565086 CET	445	50233	197.168.4.1	192.168.2.5
Jan 15, 2025 02:59:35.664647102 CET	50233	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:36.200167894 CET	50242	445	192.168.2.5	29.183.147.1
Jan 15, 2025 02:59:36.200227976 CET	50357	445	192.168.2.5	223.67.238.2
Jan 15, 2025 02:59:36.200227976 CET	50337	445	192.168.2.5	40.92.175.2
Jan 15, 2025 02:59:36.200267076 CET	50310	445	192.168.2.5	161.7.75.2
Jan 15, 2025 02:59:36.200274944 CET	50249	445	192.168.2.5	38.242.199.1
Jan 15, 2025 02:59:36.200301886 CET	50346	445	192.168.2.5	45.33.237.3
Jan 15, 2025 02:59:36.200321913 CET	50233	445	192.168.2.5	197.168.4.1
Jan 15, 2025 02:59:36.200381041 CET	50230	445	192.168.2.5	150.215.1.1
Jan 15, 2025 02:59:36.200422049 CET	50512	445	192.168.2.5	79.125.115.1
Jan 15, 2025 02:59:36.200498104 CET	50286	445	192.168.2.5	5.92.127.2
Jan 15, 2025 02:59:36.200515032 CET	50263	445	192.168.2.5	167.35.109.2
Jan 15, 2025 02:59:36.200557947 CET	50439	445	192.168.2.5	122.101.248.2
Jan 15, 2025 02:59:36.200582981 CET	50256	445	192.168.2.5	140.58.80.1
Jan 15, 2025 02:59:36.200597048 CET	50267	445	192.168.2.5	111.209.240.1
Jan 15, 2025 02:59:36.200635910 CET	50274	445	192.168.2.5	34.28.85.1
Jan 15, 2025 02:59:36.200723886 CET	50283	445	192.168.2.5	219.14.212.1
Jan 15, 2025 02:59:36.200762987 CET	50294	445	192.168.2.5	170.151.136.1
Jan 15, 2025 02:59:36.200778008 CET	50295	445	192.168.2.5	117.2.101.1
Jan 15, 2025 02:59:36.200793982 CET	50303	445	192.168.2.5	219.202.225.1
Jan 15, 2025 02:59:36.200848103 CET	50319	445	192.168.2.5	48.111.230.1
Jan 15, 2025 02:59:36.200870991 CET	50313	445	192.168.2.5	122.200.21.1
Jan 15, 2025 02:59:36.200870991 CET	50322	445	192.168.2.5	209.178.43.1
Jan 15, 2025 02:59:36.200902939 CET	50331	445	192.168.2.5	48.223.148.1
Jan 15, 2025 02:59:36.200934887 CET	50344	445	192.168.2.5	75.199.66.1
Jan 15, 2025 02:59:36.200958967 CET	50366	445	192.168.2.5	76.182.197.1
Jan 15, 2025 02:59:36.200993061 CET	50389	445	192.168.2.5	30.129.64.1
Jan 15, 2025 02:59:36.201013088 CET	50403	445	192.168.2.5	136.61.41.2
Jan 15, 2025 02:59:36.201040983 CET	50415	445	192.168.2.5	124.91.26.1
Jan 15, 2025 02:59:36.201085091 CET	50452	445	192.168.2.5	197.84.254.1
Jan 15, 2025 02:59:36.201220989 CET	50497	445	192.168.2.5	66.43.16.2
Jan 15, 2025 02:59:36.201311111 CET	50516	445	192.168.2.5	66.102.158.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:58:28.485003948 CET	54257	53	192.168.2.5	1.1.1.1
Jan 15, 2025 02:58:28.639758110 CET	53	54257	1.1.1.1	192.168.2.5
Jan 15, 2025 02:58:29.279057026 CET	61771	53	192.168.2.5	1.1.1.1
Jan 15, 2025 02:58:29.605180025 CET	53	61771	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 02:58:28.485003948 CET	192.168.2.5	1.1.1.1	0x2ab3	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:58:29.279057026 CET	192.168.2.5	1.1.1.1	0x7ad0	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 02:58:28.639758110 CET	1.1.1.1	192.168.2.5	0x2ab3	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:58:29.605180025 CET	1.1.1.1	192.168.2.5	0x7ad0	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 02:58:29.605180025 CET	1.1.1.1	192.168.2.5	0x7ad0	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	103.224.212.215	80	4308	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:28.654110909 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 02:58:29.253204107 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:29 GMT server: Apache set-cookie: __tad=1736906309.2045439; expires=Sat, 13-Jan-2035 01:58:29 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f5d content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	199.59.243.228	80	4308	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:29.611684084 CET	169	OUT	GET /?subid1=20250115-1258-29df-89f9-50f10d431f5d HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 02:58:30.068670988 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:29 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 72908bbf-89ad-4006-aba3-e99298a28c4b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XtbfwpOoZhTE/fCp6GRexeoVH/NTaqH+k/DeJ0yEGSCrtv5szMIDYgxxyPc2/GPPYfCpc7SkViWOg3o1RIS4WA== set-cookie: parking_session=72908bbf-89ad-4006-aba3-e99298a28c4b; expires=Wed, 15 Jan 2025 02:13:30 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 58 74 62 66 77 70 4f 6f 5a 68 54 45 2f 66 43 70 36 47 52 65 78 65 6f 56 48 2f 4e 54 61 71 48 2b 6b 2f 44 65 4a 30 79 45 47 53 43 72 74 76 35 73 7a 4d 49 44 59 67 78 78 79 50 63 32 2f 47 50 50 59 66 43 70 63 37 53 6b 56 69 57 4f 67 33 6f 31 52 49 53 34 57 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XtbfwpOoZhTE/fCp6GRexeoVH/NTaqH+k/DeJ0yEGSCrtv5szMIDYgxxyPc2/GPPYfCpc7SkViWOg3o1RIS4WA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 02:58:30.068720102 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzI5MDhiYmYtODlhZC00MDA2LWFiYTMtZTk5Mjk4YTI4YzRiIiwicGFnZV90aW1lIjoxNzM2OTA2MzEwLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	103.224.212.215	80	5536	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:30.313309908 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 02:58:30.937666893 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:30 GMT server: Apache set-cookie: __tad=1736906310.4444240; expires=Sat, 13-Jan-2035 01:58:30 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e47 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	199.59.243.228	80	5536	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:30.948050976 CET	169	OUT	GET /?subid1=20250115-1258-30b4-926b-ebcd05294e47 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 02:58:31.402571917 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:30 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 84ffacce-068e-45e5-9070-c271a9c0ace6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aM0v1/JWjjTj66a4UIbMSZcKBJeh//sGeF0cuDMZQ+CxjNkRhGS+yXpc1Dni2mb0a+FVC6bgoKYPZ8g7WqUROg== set-cookie: parking_session=84ffacce-068e-45e5-9070-c271a9c0ace6; expires=Wed, 15 Jan 2025 02:13:31 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 4d 30 76 31 2f 4a 57 6a 6a 54 6a 36 36 61 34 55 49 62 4d 53 5a 63 4b 42 4a 65 68 2f 2f 73 47 65 46 30 63 75 44 4d 5a 51 2b 43 78 6a 4e 6b 52 68 47 53 2b 79 58 70 63 31 44 6e 69 32 6d 62 30 61 2b 46 56 43 36 62 67 6f 4b 59 50 5a 38 67 37 57 71 55 52 4f 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aM0v1/JWjjTj66a4UIbMSZcKBJeh//sGeF0cuDMZQ+CxjNkRhGS+yXpc1Dni2mb0a+FVC6bgoKYPZ8g7WqUROg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 02:58:31.402595997 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODRmZmFjY2UtMDY4ZS00NWU1LTkwNzAtYzI3MWE5YzBhY2U2IiwicGFnZV90aW1lIjoxNzM2OTA2MzExLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	103.224.212.215	80	3656	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:31.370541096 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736906309.2045439
Jan 15, 2025 02:58:31.964457989 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:31 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f039 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	199.59.243.228	80	3656	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:31.973670959 CET	231	OUT	GET /?subid1=20250115-1258-3155-9edf-37a78753f039 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=72908bbf-89ad-4006-aba3-e99298a28c4b
Jan 15, 2025 02:58:32.429480076 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:32 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 858c5a60-122f-4119-92d8-af914e5465bf cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r4tF+4rl5t9VcDldenzTNTL77wc/md1QUosQdbDDtb/EYSR3yknH/VrxpZQGMuHBEKXQozoJdLekP7UDvi0wPQ== set-cookie: parking_session=72908bbf-89ad-4006-aba3-e99298a28c4b; expires=Wed, 15 Jan 2025 02:13:32 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 34 74 46 2b 34 72 6c 35 74 39 56 63 44 6c 64 65 6e 7a 54 4e 54 4c 37 37 77 63 2f 6d 64 31 51 55 6f 73 51 64 62 44 44 74 62 2f 45 59 53 52 33 79 6b 6e 48 2f 56 72 78 70 5a 51 47 4d 75 48 42 45 4b 58 51 6f 7a 6f 4a 64 4c 65 6b 50 37 55 44 76 69 30 77 50 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r4tF+4rl5t9VcDldenzTNTL77wc/md1QUosQdbDDtb/EYSR3yknH/VrxpZQGMuHBEKXQozoJdLekP7UDvi0wPQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 02:58:32.429512978 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzI5MDhiYmYtODlhZC00MDA2LWFiYTMtZTk5Mjk4YTI4YzRiIiwicGFnZV90aW1lIjoxNzM2OTA2MzEyLCJwYWdlX3VybCI6Imh0dHA6L

Target ID:	0
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll"
Imagebase:	0x220000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hVgcaX2SV8.dll,PlayGame
Imagebase:	0x5f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",#1
Imagebase:	0x5f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:58:27
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	C52D23EEDF757DFD3703AC774DE1C457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2104424678.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:58:29
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	C52D23EEDF757DFD3703AC774DE1C457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2123551514.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2774027813.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2774278925.000000000228A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:58:30
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hVgcaX2SV8.dll",PlayGame
Imagebase:	0x5f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:58:30
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	C52D23EEDF757DFD3703AC774DE1C457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2133754261.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2151167613.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
/i, xrefs: 00407E8D
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateProcessA, xrefs: 00407D07
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA

Memory Dump Source

Source File: 00000005.00000002.2137096385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2137073139.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137130398.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137217492.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.2137096385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2137073139.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137130398.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137217492.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.2137096385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2137073139.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137130398.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137217492.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000005.00000002.2137096385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2137073139.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137130398.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137217492.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.2137096385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2137073139.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137130398.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137217492.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2137318896.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 5536, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2773030409.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2773014131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773049586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773130667.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773149345.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2773030409.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2773014131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773049586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773130667.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773149345.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000007.00000002.2773030409.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2773014131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773049586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773130667.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773149345.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
CreateProcessA, xrefs: 00407D07
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
kernel32.dll, xrefs: 00407CEA
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000007.00000002.2773030409.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2773014131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773049586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773130667.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773149345.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2773030409.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2773014131.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773049586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773066141.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773130667.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773149345.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2773238979.00000000008FD000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f5d	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Q	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f039	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f0	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e47	Avira URL Cloud: Label: malware

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 80%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 80%

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-29df-89f9-50f10d431f5d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-30b4-926b-ebcd05294e47 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736906309.2045439
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-3155-9edf-37a78753f039 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=72908bbf-89ad-4006-aba3-e99298a28c4b

Source: hVgcaX2SV8.dll	Virustotal: Detection: 92%			Perma Link
Source: hVgcaX2SV8.dll	ReversingLabs: Detection: 92%

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.228
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.228
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.228
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.228
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.109.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.51
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.51
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.51
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.51
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 5.92.127.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.7.75.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.109
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.109
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.109
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.109
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.92.175.1

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/1
Source: mssecsvr.exe, 00000005.00000002.2137869882.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-29df-89f9-50f10d431f
Source: mssecsvr.exe, 00000007.00000002.2773536526.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2773536526.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-30b4-926b-ebcd05294e
Source: mssecsvr.exe, 00000009.00000002.2151839433.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-3155-9edf-37a78753f0
Source: mssecsvr.exe, 00000009.00000002.2151839433.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Q
Source: hVgcaX2SV8.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000005.00000002.2137869882.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2137869882.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2137869882.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2137869882.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2773536526.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2151839433.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2151839433.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000009.00000002.2151839433.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Xm
Source: mssecsvr.exe, 00000005.00000002.2137869882.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p
Source: mssecsvr.exe, 00000007.00000002.2772976788.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000009.00000002.2151839433.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comNm

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: Yara match	File source: hVgcaX2SV8.dll, type: SAMPLE
Source: Yara match	File source: 7.2.mssecsvr.exe.228a948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227b8c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d52084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d61104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22868e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d61104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.228a948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d5d0a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2137159664.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2773108997.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2104424678.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2123551514.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2133754261.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2151167613.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2774027813.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2774278925.000000000228A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 4308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3656, type: MEMORYSTR

Source: hVgcaX2SV8.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d52084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227b8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.228a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.228a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.227b8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227b8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d52084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d52084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d61104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d61104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.22868e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d61104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.228a948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d5d0a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: hVgcaX2SV8.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d52084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227b8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.228a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.228a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.227b8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227b8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d52084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d52084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d61104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d61104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.22868e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d61104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.228a948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d5d0a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		7_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hVgcaX2SV8.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
hVgcaX2SV8.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre