Edit tour

Windows Analysis Report
NLWfV87ouS.dll

Overview

General Information

Sample name:	NLWfV87ouS.dll renamed because original name is a hash value
Original sample name:	23d048d04f55b993301b477b1b8bd7a8.dll
Analysis ID:	1591529
MD5:	23d048d04f55b993301b477b1b8bd7a8
SHA1:	eef0b45632e55705c1cab4bb6da58e882a8ab865
SHA256:	d048f0164808c5daab17d4e224bcaa079ac7371f36618e9e6d4eb1b2b65c3953
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2332 cmdline: loaddll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6936 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6252 cmdline: rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5640 cmdline: rundll32.exe C:\Users\user\Desktop\NLWfV87ouS.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6656 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 6F25163220B24FB054B144BE9F82C096)

rundll32.exe (PID: 1948 cmdline: rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 6752 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 6F25163220B24FB054B144BE9F82C096)

mssecsvr.exe (PID: 5396 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 6F25163220B24FB054B144BE9F82C096)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NLWfV87ouS.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
NLWfV87ouS.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\mssecsvr.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvr.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
C:\Windows\mssecsvr.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2213069023.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2195861336.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2199520983.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2171769143.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2849584166.0000000001E5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2849831934.0000000002381000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6656	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 5396	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6752	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvr.exe.23728c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1e4f084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.23728c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.23728c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.23728c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e5e104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e5e104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.1e5e104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e4f084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e4f084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.1e4f084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.2381948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2381948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2381948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e5e104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e5e104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x50b9d4:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
10.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
10.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvr.exe.1e5a0a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.1e5a0a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.237d8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.237d8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
8.2.mssecsvr.exe.2381948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvr.exe.2381948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
Click to see the 35 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:58:49.093541+0100	2803304	3	Unknown Traffic	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T02:58:50.638385+0100	2803304	3	Unknown Traffic	192.168.2.6	49713	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:58:48.174980+0100	2830018	1	A Network Trojan was detected	192.168.2.6	56606	1.1.1.1	53	UDP

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03

Source: NLWfV87ouS.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NLWfV87ouS.dll,PlayGame

Source: NLWfV87ouS.dll	Virustotal: Detection: 94%
Source: NLWfV87ouS.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NLWfV87ouS.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NLWfV87ouS.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: NLWfV87ouS.dll

Static file information: File size 5267459 > 1048576

Source: NLWfV87ouS.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.6.dr

Static PE information: section name: .text entropy: 7.543576774509125

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvr.exe	Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 6440	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6440	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6416	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6416	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6440	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2208462022.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2213559856.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*_]-
Source: mssecsvr.exe, 00000008.00000003.2208462022.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NLWfV87ouS.dll	94%	Virustotal		Browse
NLWfV87ouS.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
NLWfV87ouS.dll	100%	Avira	TR/AD.DPulsarShellcode.gohtr
NLWfV87ouS.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvr.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvr.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	86%	ReversingLabs	ByteCode-MSIL.Ransomware.WannaCry
C:\Windows\mssecsvr.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	86%	ReversingLabs	ByteCode-MSIL.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comYs	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commmEn	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com2$6.5	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423b	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/n	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc11	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc110a	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423bb5	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423bb5	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc110a	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc11	mssecsvr.exe, 00000008.00000002.2849180029.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2208462022.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:s~A	mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com2$6.5	mssecsvr.exe, 0000000A.00000002.2213559856.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comYs	mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	mssecsvr.exe.4.dr	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2	mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/~	mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/us	mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423b	mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commmEn	mssecsvr.exe, 00000008.00000002.2849180029.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/n	mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000008.00000002.2848722808.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/7	mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.140.202.246	unknown	United States	17264	CERNER-COMUS	false
115.165.57.1	unknown	Japan	9365	ITSCOMitscommunicationsIncJP	false
148.225.116.104	unknown	Mexico	4493	UniversidaddeSonoraMX	false
49.55.159.1	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
46.91.122.159	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
148.225.116.1	unknown	Mexico	4493	UniversidaddeSonoraMX	false
155.184.140.2	unknown	United States	37532	ZAMRENZM	false
155.184.140.1	unknown	United States	37532	ZAMRENZM	false
72.167.90.1	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
23.170.165.153	unknown	Reserved	393582	KHP-DLA-ASN-01US	false
175.101.165.1	unknown	India	17754	EXCELL-ASExcellmediaIN	false
159.199.82.1	unknown	United States	11363	FUJITSU-USAUS	false
65.242.217.35	unknown	United States	33476	AS33476-TRADE-12US	false
65.242.217.1	unknown	United States	33476	AS33476-TRADE-12US	false
23.170.165.1	unknown	Reserved	393582	KHP-DLA-ASN-01US	false
161.113.71.198	unknown	United States	26381	HSBC-COMUS	false
31.108.191.1	unknown	United Kingdom	12576	EELtdGB	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591529
Start date and time:	2025-01-15 02:57:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NLWfV87ouS.dll renamed because original name is a hash value
Original Sample Name:	23d048d04f55b993301b477b1b8bd7a8.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/3@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.30.131.245, 199.232.214.172, 2.22.50.144, 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:49	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:59:24	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	sLlAsC4I5r.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CERNER-COMUS	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	159.140.225.100
	arm6.elf	Get hash	malicious	Unknown	Browse	159.140.225.122
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	159.140.225.170
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	159.140.225.103
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	159.140.225.168
	bot.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	159.140.225.105
	huhu.mpsl.elf	Get hash	malicious	Mirai	Browse	159.140.225.168
	j1tsFOM5hC.elf	Get hash	malicious	Mirai	Browse	159.140.225.139
	3NlKDxmZwm.elf	Get hash	malicious	Unknown	Browse	159.140.225.119
	wEWJ2qbZx1.elf	Get hash	malicious	Mirai	Browse	159.140.225.127
ITSCOMitscommunicationsIncJP	mips.elf	Get hash	malicious	Unknown	Browse	163.58.82.152
	3.elf	Get hash	malicious	Unknown	Browse	218.45.207.247
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	219.110.149.136
	armv5l.elf	Get hash	malicious	Unknown	Browse	163.58.70.45
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	219.110.36.94
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	163.58.21.82
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	116.0.231.239
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	163.58.166.109
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	219.110.102.103
	arm.elf	Get hash	malicious	Unknown	Browse	175.177.255.87
UniversidaddeSonoraMX	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	148.225.64.87
	arm7.elf	Get hash	malicious	Unknown	Browse	148.225.52.71
	hiss.arm7.elf	Get hash	malicious	Unknown	Browse	148.225.64.61
	byte.arm5.elf	Get hash	malicious	Okiru	Browse	148.225.40.98
	hoho.arm7.elf	Get hash	malicious	Mirai	Browse	148.225.52.88
	8427xbk3Zt.elf	Get hash	malicious	Unknown	Browse	148.225.108.254
	byKLI4nzv2.elf	Get hash	malicious	Mirai	Browse	148.225.40.71
	ODggSYsZP2.elf	Get hash	malicious	Unknown	Browse	148.225.64.76
	x44pCciC79.elf	Get hash	malicious	Mirai	Browse	148.225.108.243
	K3k8Tqy0DP.elf	Get hash	malicious	Mirai	Browse	148.225.88.82

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://reviewpolicysocialreach.vercel.app/help&z/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	173.222.162.64
	https://cdn.trytraffics.com/rdr/YWE9MzU1NTgxMDE3JnNlaT0zMDE4NjQ3NyZ0az1JaVpNVjJSRDNza0FlTER2TTdvRyZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://teiegroj.cc/ZH/	Get hash	malicious	Telegram Phisher	Browse	173.222.162.64
	http://onlineausde.andhrauniversity.edu.in/studentLogin/Payments/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://nnsnsupport.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	40.113.110.67
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/b/?_encoding=UTF8&_encoding=UTF8&node=3024314031&bbn=16435051&pd_rd_w=VSdHJ&content-id=amzn1.sym.01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_p=01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_r=E0WD16QK99B55VAWSKBQ&pd_rd_wg=EU3Lj&pd_rd_r=fd3510c2-a6e6-4f59-a468-c59aac80bfa9&ref_=pd_hp_d_btf_unk	Get hash	malicious	Unknown	Browse	40.113.110.67
	https://ziyahid.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67
	http://pub-35a1d927529e4c9684409537cf8ff63f.r2.dev/docu/e_protocol.html	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67
	http://emeklilereozeldir.org/	Get hash	malicious	Unknown	Browse	40.113.110.67
	http://industrious-tomato-ngvkcs.mystrikingly.com/	Get hash	malicious	Unknown	Browse	40.113.110.67
	http://telegroom-nzj.icu/	Get hash	malicious	Telegram Phisher	Browse	40.113.110.67
	https://cdn.trytraffics.com/rdr/YWE9MzUyODAwODkxJnNlaT0zMDQ3NDU3NCZ0az1JR0doTXJGNXNpVnJBYzZkWlBUWSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	40.113.110.67
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	40.113.110.67
	https://yolocdh.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.962002774072566
Encrypted:	false
SSDEEP:	49152:uMSDbcBVQej/1INRx+DX1HkQo6SAARdhn7:uDoBhz1aRxqk36SAEdh7
MD5:	ABA8C6BAE8872F73A473AE3B18F186A4
SHA1:	9567DAB5A9E98B1623E0A12ABA3E5788EB32360F
SHA-256:	13AEAA8228839201C3BF6632AA7696E549773DE4824DCA3FEBE43FE1D20EF477
SHA-512:	F4F6B60997C771D5829DE2E007F2A894A936DF855C100A7D27AF7195DFD9E4C4634E62BFA24103A2CE771EC6ECCF27D19399A1D5552FA9CC02813D5C84E7EEA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 86%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvr.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2281472
Entropy (8bit):	7.87524444106292
Encrypted:	false
SSDEEP:	49152:QnAMSDbcBVQej/1INRx+DX1HkQo6SAARdhnF:QADoBhz1aRxqk36SAEdhF
MD5:	6F25163220B24FB054B144BE9F82C096
SHA1:	F49190281384EC665B88C5917CF30E5E1652D27E
SHA-256:	3ED3703E2513698E1615793DFFC02D7844A345C03EE37C867ECD7289EFDEC509
SHA-512:	00C8489B5F3DC28A43531D0D10663B07AF07FEA06E2CD5927EB1E36D2A54F8B8DC297FF4EA788AF1F798F959306982DE7E77BA87883A6E41E99E337DC2FF7DFF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT)
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L......................"...................@...........................P......................................................1..z...........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.........1...... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.962002774072566
Encrypted:	false
SSDEEP:	49152:uMSDbcBVQej/1INRx+DX1HkQo6SAARdhn7:uDoBhz1aRxqk36SAEdh7
MD5:	ABA8C6BAE8872F73A473AE3B18F186A4
SHA1:	9567DAB5A9E98B1623E0A12ABA3E5788EB32360F
SHA-256:	13AEAA8228839201C3BF6632AA7696E549773DE4824DCA3FEBE43FE1D20EF477
SHA-512:	F4F6B60997C771D5829DE2E007F2A894A936DF855C100A7D27AF7195DFD9E4C4634E62BFA24103A2CE771EC6ECCF27D19399A1D5552FA9CC02813D5C84E7EEA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.270211266710343
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NLWfV87ouS.dll
File size:	5'267'459 bytes
MD5:	23d048d04f55b993301b477b1b8bd7a8
SHA1:	eef0b45632e55705c1cab4bb6da58e882a8ab865
SHA256:	d048f0164808c5daab17d4e224bcaa079ac7371f36618e9e6d4eb1b2b65c3953
SHA512:	91404577668856cf80d0a566884bbfef9606be70108b4b31932c46feb329b6b7df1be09a96d1d19fae8ed6cae4fe6b9349831b37b129ee14aa97222bd7cec635
SSDEEP:	49152:RnAMSDbcBVQej/1INRx+DX1HkQo6SAARdhn:1ADoBhz1aRxqk36SAEdh
TLSH:	ED36124272FC0178F2B37B70D9BA4661ABB77C652A7ED50E5780055E0CF2E80EA61763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F25191E1C1Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F25191E1C38h
cmp esi, 01h
je 00007F25191E1C17h
cmp esi, 02h
jne 00007F25191E1C34h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F25191E1C1Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F25191E1C1Eh
push edi
push esi
push ebx
call 00007F25191E1B2Ah
test eax, eax
jne 00007F25191E1C16h
xor eax, eax
jmp 00007F25191E1C60h
push edi
push esi
push ebx
call 00007F25191E19DCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F25191E1C1Eh
test eax, eax
jne 00007F25191E1C49h
push edi
push eax
push ebx
call 00007F25191E1B06h
test esi, esi
je 00007F25191E1C17h
cmp esi, 03h
jne 00007F25191E1C38h
push edi
push esi
push ebx
call 00007F25191E1AF5h
test eax, eax
jne 00007F25191E1C15h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F25191E1C23h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F25191E1C1Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	4ca8d8a2ecc4acf499b6a5c3bdc3869d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8742046356201172

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T02:58:48.174980+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.6	56606	1.1.1.1	53	UDP
2025-01-15T02:58:49.093541+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49710	103.224.212.215	80	TCP
2025-01-15T02:58:50.638385+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49713	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:58:42.135881901 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:42.135890961 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:42.464065075 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:45.887983084 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:45.888055086 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:45.888319969 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:45.889339924 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:45.889364958 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.690416098 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.690917015 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.696274042 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.696305037 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.696588993 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.698754072 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.698754072 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.698754072 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.698786974 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.743336916 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.869976997 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.870161057 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:46.870233059 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.870872021 CET	49709	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:46.870889902 CET	443	49709	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:48.486773014 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:48.491657019 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:48.491746902 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:48.492455006 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:48.497163057 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:49.093451977 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:49.093540907 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:49.093667030 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:49.093714952 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:49.227395058 CET	49710	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:49.232403040 CET	80	49710	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:49.422569990 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.427385092 CET	80	49712	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:49.427531958 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.429986954 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.434729099 CET	80	49712	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:49.895385027 CET	80	49712	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:49.895474911 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.895508051 CET	80	49712	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:49.895550013 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.901768923 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:49.901768923 CET	49712	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:50.025569916 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.030575991 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.030663013 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.030791044 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.035598040 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.438128948 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.443069935 CET	80	49714	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.443156004 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.443291903 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.448426008 CET	80	49714	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.638276100 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.638314009 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.638385057 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.638407946 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.641323090 CET	49713	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:50.642657995 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:50.646110058 CET	80	49713	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:50.647568941 CET	80	49720	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:50.647650957 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:50.647815943 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:50.652637959 CET	80	49720	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.042836905 CET	80	49714	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:51.042926073 CET	80	49714	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:51.043061972 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:51.043061972 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:51.046044111 CET	49714	80	192.168.2.6	103.224.212.215
Jan 15, 2025 02:58:51.047698021 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.050805092 CET	80	49714	103.224.212.215	192.168.2.6
Jan 15, 2025 02:58:51.052594900 CET	80	49721	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.052685022 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.052824020 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.057642937 CET	80	49721	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.136511087 CET	80	49720	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.136528969 CET	80	49720	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.136665106 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.143143892 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.143182039 CET	49720	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.207154989 CET	49722	445	192.168.2.6	35.203.187.0
Jan 15, 2025 02:58:51.212150097 CET	445	49722	35.203.187.0	192.168.2.6
Jan 15, 2025 02:58:51.212259054 CET	49722	445	192.168.2.6	35.203.187.0
Jan 15, 2025 02:58:51.212970018 CET	49722	445	192.168.2.6	35.203.187.0
Jan 15, 2025 02:58:51.213175058 CET	49723	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.217822075 CET	445	49722	35.203.187.0	192.168.2.6
Jan 15, 2025 02:58:51.217892885 CET	49722	445	192.168.2.6	35.203.187.0
Jan 15, 2025 02:58:51.217976093 CET	445	49723	35.203.187.1	192.168.2.6
Jan 15, 2025 02:58:51.218059063 CET	49723	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.218136072 CET	49723	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.223052979 CET	445	49723	35.203.187.1	192.168.2.6
Jan 15, 2025 02:58:51.223120928 CET	49723	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.227346897 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.232176065 CET	445	49724	35.203.187.1	192.168.2.6
Jan 15, 2025 02:58:51.232255936 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.232285023 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:58:51.237056017 CET	445	49724	35.203.187.1	192.168.2.6
Jan 15, 2025 02:58:51.518809080 CET	80	49721	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.518829107 CET	80	49721	199.59.243.228	192.168.2.6
Jan 15, 2025 02:58:51.518915892 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.551153898 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.551270008 CET	49721	80	192.168.2.6	199.59.243.228
Jan 15, 2025 02:58:51.745202065 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:51.745206118 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:52.073328972 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:53.184592009 CET	49762	445	192.168.2.6	161.113.71.198
Jan 15, 2025 02:58:53.189513922 CET	445	49762	161.113.71.198	192.168.2.6
Jan 15, 2025 02:58:53.189601898 CET	49762	445	192.168.2.6	161.113.71.198
Jan 15, 2025 02:58:53.189640999 CET	49762	445	192.168.2.6	161.113.71.198
Jan 15, 2025 02:58:53.189886093 CET	49763	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.194684982 CET	445	49762	161.113.71.198	192.168.2.6
Jan 15, 2025 02:58:53.194739103 CET	445	49763	161.113.71.1	192.168.2.6
Jan 15, 2025 02:58:53.194749117 CET	49762	445	192.168.2.6	161.113.71.198
Jan 15, 2025 02:58:53.194860935 CET	49763	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.194916010 CET	49763	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.196075916 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.199821949 CET	445	49763	161.113.71.1	192.168.2.6
Jan 15, 2025 02:58:53.199934006 CET	49763	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.200959921 CET	445	49764	161.113.71.1	192.168.2.6
Jan 15, 2025 02:58:53.201031923 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.201081038 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:58:53.206322908 CET	445	49764	161.113.71.1	192.168.2.6
Jan 15, 2025 02:58:53.738161087 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:53.738218069 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:53.738636971 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:53.739279985 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:53.739298105 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:53.752070904 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 02:58:53.752563000 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:58:54.516700029 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.516787052 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.519067049 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.519089937 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.519433975 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.521651983 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.521724939 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.521754980 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.521985054 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.563339949 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.692280054 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.692369938 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:54.692496061 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.693262100 CET	49772	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:58:54.693294048 CET	443	49772	40.113.110.67	192.168.2.6
Jan 15, 2025 02:58:55.200000048 CET	49798	445	192.168.2.6	185.104.232.204
Jan 15, 2025 02:58:55.204788923 CET	445	49798	185.104.232.204	192.168.2.6
Jan 15, 2025 02:58:55.204858065 CET	49798	445	192.168.2.6	185.104.232.204
Jan 15, 2025 02:58:55.204961061 CET	49798	445	192.168.2.6	185.104.232.204
Jan 15, 2025 02:58:55.205219984 CET	49799	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.209877968 CET	445	49798	185.104.232.204	192.168.2.6
Jan 15, 2025 02:58:55.209943056 CET	49798	445	192.168.2.6	185.104.232.204
Jan 15, 2025 02:58:55.209995985 CET	445	49799	185.104.232.1	192.168.2.6
Jan 15, 2025 02:58:55.210057020 CET	49799	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.210185051 CET	49799	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.211690903 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.215028048 CET	445	49799	185.104.232.1	192.168.2.6
Jan 15, 2025 02:58:55.215076923 CET	49799	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.216512918 CET	445	49800	185.104.232.1	192.168.2.6
Jan 15, 2025 02:58:55.216576099 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.216638088 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:58:55.221425056 CET	445	49800	185.104.232.1	192.168.2.6
Jan 15, 2025 02:58:57.217803001 CET	49834	445	192.168.2.6	46.91.122.159
Jan 15, 2025 02:58:57.222732067 CET	445	49834	46.91.122.159	192.168.2.6
Jan 15, 2025 02:58:57.222824097 CET	49834	445	192.168.2.6	46.91.122.159
Jan 15, 2025 02:58:57.222908020 CET	49834	445	192.168.2.6	46.91.122.159
Jan 15, 2025 02:58:57.223150969 CET	49835	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.227863073 CET	445	49834	46.91.122.159	192.168.2.6
Jan 15, 2025 02:58:57.227938890 CET	445	49835	46.91.122.1	192.168.2.6
Jan 15, 2025 02:58:57.227938890 CET	49834	445	192.168.2.6	46.91.122.159
Jan 15, 2025 02:58:57.228023052 CET	49835	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.228132963 CET	49835	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.230849981 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.232928991 CET	445	49835	46.91.122.1	192.168.2.6
Jan 15, 2025 02:58:57.232991934 CET	49835	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.235671043 CET	445	49836	46.91.122.1	192.168.2.6
Jan 15, 2025 02:58:57.235788107 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.235846996 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:58:57.240596056 CET	445	49836	46.91.122.1	192.168.2.6
Jan 15, 2025 02:58:59.231079102 CET	49867	445	192.168.2.6	101.167.235.244
Jan 15, 2025 02:58:59.235903025 CET	445	49867	101.167.235.244	192.168.2.6
Jan 15, 2025 02:58:59.236093044 CET	49867	445	192.168.2.6	101.167.235.244
Jan 15, 2025 02:58:59.236141920 CET	49867	445	192.168.2.6	101.167.235.244
Jan 15, 2025 02:58:59.236351967 CET	49869	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.241027117 CET	445	49867	101.167.235.244	192.168.2.6
Jan 15, 2025 02:58:59.241094112 CET	49867	445	192.168.2.6	101.167.235.244
Jan 15, 2025 02:58:59.241169930 CET	445	49869	101.167.235.1	192.168.2.6
Jan 15, 2025 02:58:59.241255045 CET	49869	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.241281986 CET	49869	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.242405891 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.246155024 CET	445	49869	101.167.235.1	192.168.2.6
Jan 15, 2025 02:58:59.246211052 CET	49869	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.247257948 CET	445	49870	101.167.235.1	192.168.2.6
Jan 15, 2025 02:58:59.247322083 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.247354031 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:58:59.252140045 CET	445	49870	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:01.247191906 CET	49905	445	192.168.2.6	63.231.161.18
Jan 15, 2025 02:59:01.252101898 CET	445	49905	63.231.161.18	192.168.2.6
Jan 15, 2025 02:59:01.252233028 CET	49905	445	192.168.2.6	63.231.161.18
Jan 15, 2025 02:59:01.252309084 CET	49905	445	192.168.2.6	63.231.161.18
Jan 15, 2025 02:59:01.252456903 CET	49906	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.257368088 CET	445	49906	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:01.257383108 CET	445	49905	63.231.161.18	192.168.2.6
Jan 15, 2025 02:59:01.257443905 CET	49905	445	192.168.2.6	63.231.161.18
Jan 15, 2025 02:59:01.257458925 CET	49906	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.257577896 CET	49906	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.258668900 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.262667894 CET	445	49906	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:01.262722969 CET	49906	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.263420105 CET	445	49907	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:01.263498068 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.263648033 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:01.268392086 CET	445	49907	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:03.262016058 CET	49939	445	192.168.2.6	40.9.17.111
Jan 15, 2025 02:59:03.266798019 CET	445	49939	40.9.17.111	192.168.2.6
Jan 15, 2025 02:59:03.267005920 CET	49939	445	192.168.2.6	40.9.17.111
Jan 15, 2025 02:59:03.267005920 CET	49939	445	192.168.2.6	40.9.17.111
Jan 15, 2025 02:59:03.267170906 CET	49940	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.271976948 CET	445	49940	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:03.272032976 CET	445	49939	40.9.17.111	192.168.2.6
Jan 15, 2025 02:59:03.272049904 CET	49940	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.272108078 CET	49939	445	192.168.2.6	40.9.17.111
Jan 15, 2025 02:59:03.272111893 CET	49940	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.272552013 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.277004004 CET	445	49940	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:03.277059078 CET	49940	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.277379990 CET	445	49941	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:03.277446985 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.277537107 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:03.282335043 CET	445	49941	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:04.120349884 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:04.120496988 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:04.121084929 CET	49956	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:04.121169090 CET	443	49956	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:04.121328115 CET	49956	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:04.122010946 CET	49956	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:04.122030020 CET	443	49956	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:04.129115105 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:04.129127026 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:04.715955019 CET	443	49956	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:04.716125011 CET	49956	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:05.277646065 CET	49980	445	192.168.2.6	155.184.140.85
Jan 15, 2025 02:59:05.282529116 CET	445	49980	155.184.140.85	192.168.2.6
Jan 15, 2025 02:59:05.283137083 CET	49980	445	192.168.2.6	155.184.140.85
Jan 15, 2025 02:59:05.283236980 CET	49980	445	192.168.2.6	155.184.140.85
Jan 15, 2025 02:59:05.288197994 CET	445	49980	155.184.140.85	192.168.2.6
Jan 15, 2025 02:59:05.288413048 CET	49980	445	192.168.2.6	155.184.140.85
Jan 15, 2025 02:59:05.291387081 CET	49981	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.296633005 CET	445	49981	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:05.296699047 CET	49981	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.296730042 CET	49981	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.297135115 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.301843882 CET	445	49981	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:05.301903009 CET	49981	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.301966906 CET	445	49982	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:05.302210093 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.302210093 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:05.307024956 CET	445	49982	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:05.974064112 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:05.974109888 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:05.974373102 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:05.975547075 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:05.975562096 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.765645981 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.765703917 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.772289991 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.772301912 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.772658110 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.778918028 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.778990984 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.778995991 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.779136896 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.819349051 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.955692053 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.956413984 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:06.956494093 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.960335970 CET	49992	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:06.960350990 CET	443	49992	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:07.513768911 CET	50016	445	192.168.2.6	72.138.233.78
Jan 15, 2025 02:59:07.518588066 CET	445	50016	72.138.233.78	192.168.2.6
Jan 15, 2025 02:59:07.520174980 CET	50016	445	192.168.2.6	72.138.233.78
Jan 15, 2025 02:59:07.520551920 CET	50016	445	192.168.2.6	72.138.233.78
Jan 15, 2025 02:59:07.524461031 CET	50019	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.525412083 CET	445	50016	72.138.233.78	192.168.2.6
Jan 15, 2025 02:59:07.525465012 CET	50016	445	192.168.2.6	72.138.233.78
Jan 15, 2025 02:59:07.529320002 CET	445	50019	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:07.529400110 CET	50019	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.529913902 CET	50019	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.530874014 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.534764051 CET	445	50019	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:07.534826994 CET	50019	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.535710096 CET	445	50021	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:07.535770893 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.535816908 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:07.540611029 CET	445	50021	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:09.495798111 CET	50056	445	192.168.2.6	18.166.199.139
Jan 15, 2025 02:59:09.500636101 CET	445	50056	18.166.199.139	192.168.2.6
Jan 15, 2025 02:59:09.500823975 CET	50056	445	192.168.2.6	18.166.199.139
Jan 15, 2025 02:59:09.500897884 CET	50056	445	192.168.2.6	18.166.199.139
Jan 15, 2025 02:59:09.501081944 CET	50057	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.505753994 CET	445	50056	18.166.199.139	192.168.2.6
Jan 15, 2025 02:59:09.505808115 CET	50056	445	192.168.2.6	18.166.199.139
Jan 15, 2025 02:59:09.505855083 CET	445	50057	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:09.505922079 CET	50057	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.505987883 CET	50057	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.506267071 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.510957003 CET	445	50057	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:09.511008024 CET	50057	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.511038065 CET	445	50058	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:09.511113882 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.511137962 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:09.515927076 CET	445	50058	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:11.512042046 CET	50093	445	192.168.2.6	23.170.165.153
Jan 15, 2025 02:59:11.516910076 CET	445	50093	23.170.165.153	192.168.2.6
Jan 15, 2025 02:59:11.517024994 CET	50093	445	192.168.2.6	23.170.165.153
Jan 15, 2025 02:59:11.521989107 CET	50093	445	192.168.2.6	23.170.165.153
Jan 15, 2025 02:59:11.522433043 CET	50094	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.526806116 CET	445	50093	23.170.165.153	192.168.2.6
Jan 15, 2025 02:59:11.526864052 CET	50093	445	192.168.2.6	23.170.165.153
Jan 15, 2025 02:59:11.527177095 CET	445	50094	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:11.527235985 CET	50094	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.527328968 CET	50094	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.527611017 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.532118082 CET	445	50094	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:11.532165051 CET	50094	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.532386065 CET	445	50095	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:11.532445908 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.532483101 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:11.537188053 CET	445	50095	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:12.613862038 CET	445	49724	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:12.614136934 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:12.614195108 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:12.614264011 CET	49724	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:12.618957996 CET	445	49724	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:12.619368076 CET	445	49724	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:13.527268887 CET	50129	445	192.168.2.6	31.108.191.151
Jan 15, 2025 02:59:13.532227039 CET	445	50129	31.108.191.151	192.168.2.6
Jan 15, 2025 02:59:13.532351971 CET	50129	445	192.168.2.6	31.108.191.151
Jan 15, 2025 02:59:13.532351971 CET	50129	445	192.168.2.6	31.108.191.151
Jan 15, 2025 02:59:13.532584906 CET	50130	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.537305117 CET	445	50129	31.108.191.151	192.168.2.6
Jan 15, 2025 02:59:13.537365913 CET	50129	445	192.168.2.6	31.108.191.151
Jan 15, 2025 02:59:13.537367105 CET	445	50130	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:13.537431002 CET	50130	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.537574053 CET	50130	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.537918091 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.542344093 CET	445	50130	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:13.542550087 CET	50130	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.542674065 CET	445	50131	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:13.542732000 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.542884111 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:13.547693014 CET	445	50131	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:14.550262928 CET	445	49764	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:14.550335884 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:14.550398111 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:14.550471067 CET	49764	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:14.555150986 CET	445	49764	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:14.555258989 CET	445	49764	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:15.543045044 CET	50166	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.547890902 CET	445	50166	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.547971010 CET	50166	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.548064947 CET	50166	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.548199892 CET	50167	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.553081036 CET	445	50166	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.553112984 CET	445	50167	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.553150892 CET	50166	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.553189993 CET	50167	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.553275108 CET	50167	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.553596020 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.558154106 CET	445	50167	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.558206081 CET	50167	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.558525085 CET	445	50168	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.558630943 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.558630943 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:15.563580036 CET	445	50168	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:15.620507002 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:15.625468969 CET	445	50171	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:15.625577927 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:15.625619888 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:15.630528927 CET	445	50171	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:16.613444090 CET	445	49800	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:16.613514900 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:16.613595963 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:16.613696098 CET	49800	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:16.618454933 CET	445	49800	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:16.618464947 CET	445	49800	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:17.558113098 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:17.558442116 CET	50191	445	192.168.2.6	148.225.116.104
Jan 15, 2025 02:59:17.623383045 CET	445	50190	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:17.623416901 CET	445	50191	148.225.116.104	192.168.2.6
Jan 15, 2025 02:59:17.623475075 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:17.623507023 CET	50191	445	192.168.2.6	148.225.116.104
Jan 15, 2025 02:59:17.623549938 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:17.623779058 CET	50191	445	192.168.2.6	148.225.116.104
Jan 15, 2025 02:59:17.623982906 CET	50192	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.632230997 CET	445	50190	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:17.632251978 CET	445	50191	148.225.116.104	192.168.2.6
Jan 15, 2025 02:59:17.632266045 CET	445	50192	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:17.632307053 CET	50191	445	192.168.2.6	148.225.116.104
Jan 15, 2025 02:59:17.632360935 CET	50192	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.632445097 CET	50192	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.632771969 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.637506008 CET	445	50192	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:17.637582064 CET	50192	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.637747049 CET	445	50193	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:17.637813091 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.637849092 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:17.642602921 CET	445	50193	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:18.603419065 CET	445	49836	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:18.603575945 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:18.603828907 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:18.603828907 CET	49836	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:18.608632088 CET	445	49836	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:18.608661890 CET	445	49836	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:19.573872089 CET	50208	445	192.168.2.6	163.151.111.193
Jan 15, 2025 02:59:19.578675985 CET	445	50208	163.151.111.193	192.168.2.6
Jan 15, 2025 02:59:19.578785896 CET	50208	445	192.168.2.6	163.151.111.193
Jan 15, 2025 02:59:19.578850985 CET	50208	445	192.168.2.6	163.151.111.193
Jan 15, 2025 02:59:19.579009056 CET	50209	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.583733082 CET	445	50208	163.151.111.193	192.168.2.6
Jan 15, 2025 02:59:19.583836079 CET	445	50209	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:19.583847046 CET	50208	445	192.168.2.6	163.151.111.193
Jan 15, 2025 02:59:19.583920002 CET	50209	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.583956957 CET	50209	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.584259033 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.589543104 CET	445	50211	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:19.589610100 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.589670897 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.589709997 CET	445	50209	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:19.589760065 CET	50209	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:19.594538927 CET	445	50211	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:19.620481968 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:19.625319004 CET	445	50212	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:19.625391006 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:19.625435114 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:19.630182028 CET	445	50212	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:20.613401890 CET	445	49870	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:20.613498926 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:20.613898039 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:20.614029884 CET	49870	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:20.618731022 CET	445	49870	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:20.618761063 CET	445	49870	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:21.589657068 CET	50224	445	192.168.2.6	220.177.196.132
Jan 15, 2025 02:59:21.594506025 CET	445	50224	220.177.196.132	192.168.2.6
Jan 15, 2025 02:59:21.594599962 CET	50224	445	192.168.2.6	220.177.196.132
Jan 15, 2025 02:59:21.594630003 CET	50224	445	192.168.2.6	220.177.196.132
Jan 15, 2025 02:59:21.594909906 CET	50225	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.599680901 CET	445	50224	220.177.196.132	192.168.2.6
Jan 15, 2025 02:59:21.599741936 CET	445	50225	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:21.599747896 CET	50224	445	192.168.2.6	220.177.196.132
Jan 15, 2025 02:59:21.599828005 CET	50225	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.599947929 CET	50225	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.600231886 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.604909897 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:21.605242968 CET	445	50225	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:21.605307102 CET	50225	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.605715990 CET	445	50226	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:21.605787992 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.605798006 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:21.610646009 CET	445	50227	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:21.610716105 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:21.610815048 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:21.611095905 CET	445	50226	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:21.616266012 CET	445	50227	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:22.613643885 CET	445	49907	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:22.613711119 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:22.613837957 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:22.613955975 CET	49907	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:22.618598938 CET	445	49907	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:22.618769884 CET	445	49907	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:23.605575085 CET	50242	445	192.168.2.6	159.140.202.246
Jan 15, 2025 02:59:23.610637903 CET	445	50242	159.140.202.246	192.168.2.6
Jan 15, 2025 02:59:23.610713005 CET	50242	445	192.168.2.6	159.140.202.246
Jan 15, 2025 02:59:23.610764027 CET	50242	445	192.168.2.6	159.140.202.246
Jan 15, 2025 02:59:23.610963106 CET	50243	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.615935087 CET	445	50243	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:23.615998983 CET	50243	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.616027117 CET	50243	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.616060972 CET	445	50242	159.140.202.246	192.168.2.6
Jan 15, 2025 02:59:23.616111040 CET	50242	445	192.168.2.6	159.140.202.246
Jan 15, 2025 02:59:23.616380930 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.620429993 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:23.621036053 CET	445	50243	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:23.621093035 CET	50243	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.621197939 CET	445	50244	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:23.621268034 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.621299982 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:23.625195980 CET	445	50245	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:23.625257015 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:23.625293016 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:23.626141071 CET	445	50244	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:23.630032063 CET	445	50245	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:23.868396044 CET	443	49956	173.222.162.64	192.168.2.6
Jan 15, 2025 02:59:23.868530035 CET	49956	443	192.168.2.6	173.222.162.64
Jan 15, 2025 02:59:24.595587015 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:24.595628977 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:24.595699072 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:24.596419096 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:24.596431971 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:24.629334927 CET	445	49941	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:24.629417896 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:24.629453897 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:24.629488945 CET	49941	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:24.634325027 CET	445	49941	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:24.634356022 CET	445	49941	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:25.416003942 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.416105032 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.417964935 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.417978048 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.418766022 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.421250105 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.421308041 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.421312094 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.421436071 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.467333078 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.606719971 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.606944084 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.607007980 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.607269049 CET	50251	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:25.607290030 CET	443	50251	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:25.620690107 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:25.621023893 CET	50258	445	192.168.2.6	148.177.241.3
Jan 15, 2025 02:59:25.625494957 CET	445	50257	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:25.625574112 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:25.625643969 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:25.625910997 CET	445	50258	148.177.241.3	192.168.2.6
Jan 15, 2025 02:59:25.625967026 CET	50258	445	192.168.2.6	148.177.241.3
Jan 15, 2025 02:59:25.625994921 CET	50258	445	192.168.2.6	148.177.241.3
Jan 15, 2025 02:59:25.626149893 CET	50259	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.630398035 CET	445	50257	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:25.630850077 CET	445	50258	148.177.241.3	192.168.2.6
Jan 15, 2025 02:59:25.630861998 CET	445	50259	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:25.630901098 CET	50258	445	192.168.2.6	148.177.241.3
Jan 15, 2025 02:59:25.630935907 CET	50259	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.630992889 CET	50259	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.631246090 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.635881901 CET	445	50259	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:25.635922909 CET	50259	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.636058092 CET	445	50260	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:25.636116982 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.636132956 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:25.640878916 CET	445	50260	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:26.644747972 CET	445	49982	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:26.646941900 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:26.646994114 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:26.647080898 CET	49982	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:26.651802063 CET	445	49982	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:26.651889086 CET	445	49982	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:27.495876074 CET	50275	445	192.168.2.6	175.101.165.72
Jan 15, 2025 02:59:27.500751019 CET	445	50275	175.101.165.72	192.168.2.6
Jan 15, 2025 02:59:27.502538919 CET	50275	445	192.168.2.6	175.101.165.72
Jan 15, 2025 02:59:27.502634048 CET	50275	445	192.168.2.6	175.101.165.72
Jan 15, 2025 02:59:27.502739906 CET	50276	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.507517099 CET	445	50276	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:27.507571936 CET	445	50275	175.101.165.72	192.168.2.6
Jan 15, 2025 02:59:27.507719040 CET	50275	445	192.168.2.6	175.101.165.72
Jan 15, 2025 02:59:27.507735014 CET	50276	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.507735014 CET	50276	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.508021116 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.512645960 CET	445	50276	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:27.512718916 CET	50276	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.512754917 CET	445	50277	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:27.514591932 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.514591932 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:27.519404888 CET	445	50277	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:27.694224119 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:27.699124098 CET	445	50279	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:27.700756073 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:27.702395916 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:27.707159996 CET	445	50279	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:28.917570114 CET	445	50021	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:28.917792082 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:28.917860985 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:28.917901039 CET	50021	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:28.924515963 CET	445	50021	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:28.924547911 CET	445	50021	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:29.245857954 CET	50290	445	192.168.2.6	159.199.82.84
Jan 15, 2025 02:59:29.250917912 CET	445	50290	159.199.82.84	192.168.2.6
Jan 15, 2025 02:59:29.251046896 CET	50290	445	192.168.2.6	159.199.82.84
Jan 15, 2025 02:59:29.251146078 CET	50290	445	192.168.2.6	159.199.82.84
Jan 15, 2025 02:59:29.251449108 CET	50291	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.256145954 CET	445	50290	159.199.82.84	192.168.2.6
Jan 15, 2025 02:59:29.256237030 CET	50290	445	192.168.2.6	159.199.82.84
Jan 15, 2025 02:59:29.256331921 CET	445	50291	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:29.256495953 CET	50291	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.256495953 CET	50291	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.256884098 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.261497974 CET	445	50291	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:29.261723042 CET	445	50292	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:29.261883974 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.261913061 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.261934996 CET	50291	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:29.266787052 CET	445	50292	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:29.651747942 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:29.656716108 CET	445	50293	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:29.656991005 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:29.657285929 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:29.662132025 CET	445	50293	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:30.883280039 CET	445	50058	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:30.883372068 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:30.884285927 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:30.884329081 CET	50058	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:30.889147997 CET	445	50058	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:30.889178038 CET	445	50058	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:30.892954111 CET	50304	445	192.168.2.6	55.211.247.250
Jan 15, 2025 02:59:30.897887945 CET	445	50304	55.211.247.250	192.168.2.6
Jan 15, 2025 02:59:30.897969961 CET	50304	445	192.168.2.6	55.211.247.250
Jan 15, 2025 02:59:30.898066044 CET	50304	445	192.168.2.6	55.211.247.250
Jan 15, 2025 02:59:30.898212910 CET	50305	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.903110027 CET	445	50304	55.211.247.250	192.168.2.6
Jan 15, 2025 02:59:30.903141022 CET	445	50305	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:30.903160095 CET	50304	445	192.168.2.6	55.211.247.250
Jan 15, 2025 02:59:30.903202057 CET	50305	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.903625011 CET	50305	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.907711983 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.908524036 CET	445	50305	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:30.908575058 CET	50305	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.912581921 CET	445	50306	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:30.912647009 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.912748098 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:30.917526007 CET	445	50306	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:31.933258057 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:31.938059092 CET	445	50313	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:31.941818953 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:31.941818953 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:31.946723938 CET	445	50313	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:32.417658091 CET	50318	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.422525883 CET	445	50318	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.426441908 CET	50318	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.426565886 CET	50318	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.426573038 CET	50319	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.431431055 CET	445	50319	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.431487083 CET	445	50318	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.431565046 CET	50318	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.431641102 CET	50319	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.431642056 CET	50319	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.431865931 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.436604977 CET	445	50319	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.436680079 CET	445	50320	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.436700106 CET	50319	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.436777115 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.436794043 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:32.441601038 CET	445	50320	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:32.895006895 CET	445	50095	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:32.895096064 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:32.895145893 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:32.895175934 CET	50095	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:32.899998903 CET	445	50095	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:32.900010109 CET	445	50095	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:33.839548111 CET	50322	445	192.168.2.6	114.251.20.227
Jan 15, 2025 02:59:33.844341993 CET	445	50322	114.251.20.227	192.168.2.6
Jan 15, 2025 02:59:33.844424009 CET	50322	445	192.168.2.6	114.251.20.227
Jan 15, 2025 02:59:33.844506979 CET	50322	445	192.168.2.6	114.251.20.227
Jan 15, 2025 02:59:33.844652891 CET	50323	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.849457979 CET	445	50322	114.251.20.227	192.168.2.6
Jan 15, 2025 02:59:33.849503994 CET	445	50323	114.251.20.1	192.168.2.6
Jan 15, 2025 02:59:33.849538088 CET	50322	445	192.168.2.6	114.251.20.227
Jan 15, 2025 02:59:33.849564075 CET	50323	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.849632025 CET	50323	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.849942923 CET	50324	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.854523897 CET	445	50323	114.251.20.1	192.168.2.6
Jan 15, 2025 02:59:33.854593992 CET	50323	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.854743004 CET	445	50324	114.251.20.1	192.168.2.6
Jan 15, 2025 02:59:33.854805946 CET	50324	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.854859114 CET	50324	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:33.859622002 CET	445	50324	114.251.20.1	192.168.2.6
Jan 15, 2025 02:59:33.886084080 CET	50325	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:33.891094923 CET	445	50325	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:33.891186953 CET	50325	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:33.891186953 CET	50325	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:33.896285057 CET	445	50325	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:34.927978039 CET	445	50131	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:34.928082943 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:34.928113937 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:34.928169966 CET	50131	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:34.932975054 CET	445	50131	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:34.933007002 CET	445	50131	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:35.167762995 CET	50326	445	192.168.2.6	181.130.123.70
Jan 15, 2025 02:59:35.172593117 CET	445	50326	181.130.123.70	192.168.2.6
Jan 15, 2025 02:59:35.172714949 CET	50326	445	192.168.2.6	181.130.123.70
Jan 15, 2025 02:59:35.172728062 CET	50326	445	192.168.2.6	181.130.123.70
Jan 15, 2025 02:59:35.172986984 CET	50327	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.177810907 CET	445	50326	181.130.123.70	192.168.2.6
Jan 15, 2025 02:59:35.177875996 CET	50326	445	192.168.2.6	181.130.123.70
Jan 15, 2025 02:59:35.177922010 CET	445	50327	181.130.123.1	192.168.2.6
Jan 15, 2025 02:59:35.178020954 CET	50327	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.178101063 CET	50327	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.178278923 CET	50328	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.183046103 CET	445	50327	181.130.123.1	192.168.2.6
Jan 15, 2025 02:59:35.183100939 CET	445	50328	181.130.123.1	192.168.2.6
Jan 15, 2025 02:59:35.183120012 CET	50327	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.183170080 CET	50328	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.183196068 CET	50328	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:35.187974930 CET	445	50328	181.130.123.1	192.168.2.6
Jan 15, 2025 02:59:35.901792049 CET	50329	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:35.906673908 CET	445	50329	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:35.906758070 CET	50329	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:35.906785011 CET	50329	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:35.911601067 CET	445	50329	23.170.165.1	192.168.2.6
Jan 15, 2025 02:59:36.407246113 CET	50330	445	192.168.2.6	84.223.7.174
Jan 15, 2025 02:59:36.412236929 CET	445	50330	84.223.7.174	192.168.2.6
Jan 15, 2025 02:59:36.412324905 CET	50330	445	192.168.2.6	84.223.7.174
Jan 15, 2025 02:59:36.412405968 CET	50330	445	192.168.2.6	84.223.7.174
Jan 15, 2025 02:59:36.412571907 CET	50331	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.417363882 CET	445	50331	84.223.7.1	192.168.2.6
Jan 15, 2025 02:59:36.417435884 CET	445	50330	84.223.7.174	192.168.2.6
Jan 15, 2025 02:59:36.417442083 CET	50331	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.417484999 CET	50330	445	192.168.2.6	84.223.7.174
Jan 15, 2025 02:59:36.419420004 CET	50331	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.423080921 CET	50332	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.424267054 CET	445	50331	84.223.7.1	192.168.2.6
Jan 15, 2025 02:59:36.424284935 CET	445	50331	84.223.7.1	192.168.2.6
Jan 15, 2025 02:59:36.424329996 CET	50331	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.427968979 CET	445	50332	84.223.7.1	192.168.2.6
Jan 15, 2025 02:59:36.428044081 CET	50332	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.430110931 CET	50332	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:36.434974909 CET	445	50332	84.223.7.1	192.168.2.6
Jan 15, 2025 02:59:36.946058989 CET	445	50168	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:36.946122885 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:36.946202993 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:36.946202993 CET	50168	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:36.950962067 CET	445	50168	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:36.950984955 CET	445	50168	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:36.973092079 CET	445	50171	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:36.973169088 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:36.973223925 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:36.973290920 CET	50171	445	192.168.2.6	35.203.187.1
Jan 15, 2025 02:59:36.978108883 CET	445	50171	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:36.978121996 CET	445	50171	35.203.187.1	192.168.2.6
Jan 15, 2025 02:59:37.027266026 CET	50333	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.032100916 CET	445	50333	35.203.187.2	192.168.2.6
Jan 15, 2025 02:59:37.032185078 CET	50333	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.032272100 CET	50333	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.032751083 CET	50334	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.037139893 CET	445	50333	35.203.187.2	192.168.2.6
Jan 15, 2025 02:59:37.037206888 CET	50333	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.037549019 CET	445	50334	35.203.187.2	192.168.2.6
Jan 15, 2025 02:59:37.037611961 CET	50334	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.037655115 CET	50334	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:37.042376995 CET	445	50334	35.203.187.2	192.168.2.6
Jan 15, 2025 02:59:37.558612108 CET	50335	445	192.168.2.6	65.242.217.35
Jan 15, 2025 02:59:37.563648939 CET	445	50335	65.242.217.35	192.168.2.6
Jan 15, 2025 02:59:37.563771963 CET	50335	445	192.168.2.6	65.242.217.35
Jan 15, 2025 02:59:37.563771963 CET	50335	445	192.168.2.6	65.242.217.35
Jan 15, 2025 02:59:37.563961983 CET	50336	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.568973064 CET	445	50336	65.242.217.1	192.168.2.6
Jan 15, 2025 02:59:37.568994045 CET	445	50335	65.242.217.35	192.168.2.6
Jan 15, 2025 02:59:37.569039106 CET	50336	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.569118023 CET	50335	445	192.168.2.6	65.242.217.35
Jan 15, 2025 02:59:37.569189072 CET	50336	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.569590092 CET	50337	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.574029922 CET	445	50336	65.242.217.1	192.168.2.6
Jan 15, 2025 02:59:37.574263096 CET	50336	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.574454069 CET	445	50337	65.242.217.1	192.168.2.6
Jan 15, 2025 02:59:37.574522972 CET	50337	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.574558020 CET	50337	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:37.579293966 CET	445	50337	65.242.217.1	192.168.2.6
Jan 15, 2025 02:59:37.933125973 CET	50338	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:37.938086033 CET	445	50338	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:37.940905094 CET	50338	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:37.940949917 CET	50338	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:37.945806026 CET	445	50338	31.108.191.1	192.168.2.6
Jan 15, 2025 02:59:38.637471914 CET	50339	445	192.168.2.6	23.53.146.99
Jan 15, 2025 02:59:38.642410040 CET	445	50339	23.53.146.99	192.168.2.6
Jan 15, 2025 02:59:38.645822048 CET	50339	445	192.168.2.6	23.53.146.99
Jan 15, 2025 02:59:38.645937920 CET	50339	445	192.168.2.6	23.53.146.99
Jan 15, 2025 02:59:38.646133900 CET	50340	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.650816917 CET	445	50339	23.53.146.99	192.168.2.6
Jan 15, 2025 02:59:38.650913954 CET	445	50340	23.53.146.1	192.168.2.6
Jan 15, 2025 02:59:38.650976896 CET	50339	445	192.168.2.6	23.53.146.99
Jan 15, 2025 02:59:38.651005983 CET	50340	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.651073933 CET	50340	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.651354074 CET	50341	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.655987978 CET	445	50340	23.53.146.1	192.168.2.6
Jan 15, 2025 02:59:38.656172991 CET	445	50341	23.53.146.1	192.168.2.6
Jan 15, 2025 02:59:38.656223059 CET	50340	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.656248093 CET	50341	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.656287909 CET	50341	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:38.661011934 CET	445	50341	23.53.146.1	192.168.2.6
Jan 15, 2025 02:59:39.004539013 CET	445	50190	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:39.004626036 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:39.005204916 CET	445	50193	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:39.005258083 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:39.006354094 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:39.006386995 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:39.006422043 CET	50190	445	192.168.2.6	161.113.71.1
Jan 15, 2025 02:59:39.010813951 CET	50193	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:39.011127949 CET	445	50190	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:39.011185884 CET	445	50193	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:39.011221886 CET	445	50190	161.113.71.1	192.168.2.6
Jan 15, 2025 02:59:39.015582085 CET	445	50193	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:39.125732899 CET	50342	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.130811930 CET	445	50342	161.113.71.2	192.168.2.6
Jan 15, 2025 02:59:39.130902052 CET	50342	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.131004095 CET	50342	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.133006096 CET	50343	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.136291027 CET	445	50342	161.113.71.2	192.168.2.6
Jan 15, 2025 02:59:39.136651993 CET	445	50342	161.113.71.2	192.168.2.6
Jan 15, 2025 02:59:39.136727095 CET	50342	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.137803078 CET	445	50343	161.113.71.2	192.168.2.6
Jan 15, 2025 02:59:39.137871027 CET	50343	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.137928963 CET	50343	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:39.142786980 CET	445	50343	161.113.71.2	192.168.2.6
Jan 15, 2025 02:59:39.652014017 CET	50344	445	192.168.2.6	171.163.176.74
Jan 15, 2025 02:59:39.656925917 CET	445	50344	171.163.176.74	192.168.2.6
Jan 15, 2025 02:59:39.657037020 CET	50344	445	192.168.2.6	171.163.176.74
Jan 15, 2025 02:59:39.657037020 CET	50344	445	192.168.2.6	171.163.176.74
Jan 15, 2025 02:59:39.657262087 CET	50345	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.662086010 CET	445	50345	171.163.176.1	192.168.2.6
Jan 15, 2025 02:59:39.662117958 CET	445	50344	171.163.176.74	192.168.2.6
Jan 15, 2025 02:59:39.662156105 CET	50345	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.662178040 CET	50345	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.662185907 CET	50344	445	192.168.2.6	171.163.176.74
Jan 15, 2025 02:59:39.662561893 CET	50346	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.667442083 CET	445	50345	171.163.176.1	192.168.2.6
Jan 15, 2025 02:59:39.667454958 CET	445	50346	171.163.176.1	192.168.2.6
Jan 15, 2025 02:59:39.667496920 CET	50345	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.667531013 CET	50346	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.667552948 CET	50346	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:39.672313929 CET	445	50346	171.163.176.1	192.168.2.6
Jan 15, 2025 02:59:39.948787928 CET	50347	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:39.953788996 CET	445	50347	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:39.956573009 CET	50347	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:39.956666946 CET	50347	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:39.961805105 CET	445	50347	100.236.46.1	192.168.2.6
Jan 15, 2025 02:59:40.589708090 CET	50348	445	192.168.2.6	49.55.159.218
Jan 15, 2025 02:59:40.594624996 CET	445	50348	49.55.159.218	192.168.2.6
Jan 15, 2025 02:59:40.596609116 CET	50348	445	192.168.2.6	49.55.159.218
Jan 15, 2025 02:59:40.596682072 CET	50348	445	192.168.2.6	49.55.159.218
Jan 15, 2025 02:59:40.596843958 CET	50349	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.601708889 CET	445	50349	49.55.159.1	192.168.2.6
Jan 15, 2025 02:59:40.601723909 CET	445	50348	49.55.159.218	192.168.2.6
Jan 15, 2025 02:59:40.601819992 CET	50348	445	192.168.2.6	49.55.159.218
Jan 15, 2025 02:59:40.601819992 CET	50349	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.602257013 CET	50350	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.606734991 CET	445	50349	49.55.159.1	192.168.2.6
Jan 15, 2025 02:59:40.607068062 CET	445	50350	49.55.159.1	192.168.2.6
Jan 15, 2025 02:59:40.607129097 CET	50349	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.607166052 CET	50350	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.607214928 CET	50350	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:40.611973047 CET	445	50350	49.55.159.1	192.168.2.6
Jan 15, 2025 02:59:40.961513996 CET	445	50211	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:40.961668968 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:40.961703062 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:40.961750031 CET	50211	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:40.966480017 CET	445	50211	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:40.966496944 CET	445	50211	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:40.973335028 CET	445	50212	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:40.973438978 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:40.973486900 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:40.973547935 CET	50212	445	192.168.2.6	185.104.232.1
Jan 15, 2025 02:59:40.978357077 CET	445	50212	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:40.978373051 CET	445	50212	185.104.232.1	192.168.2.6
Jan 15, 2025 02:59:41.026953936 CET	50352	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.031899929 CET	445	50352	185.104.232.2	192.168.2.6
Jan 15, 2025 02:59:41.031996965 CET	50352	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.032053947 CET	50352	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.032377958 CET	50353	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.037179947 CET	445	50352	185.104.232.2	192.168.2.6
Jan 15, 2025 02:59:41.037260056 CET	445	50353	185.104.232.2	192.168.2.6
Jan 15, 2025 02:59:41.037261963 CET	50352	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.037367105 CET	50353	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.037395000 CET	50353	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:41.042188883 CET	445	50353	185.104.232.2	192.168.2.6
Jan 15, 2025 02:59:41.466263056 CET	50354	445	192.168.2.6	207.2.237.20
Jan 15, 2025 02:59:41.471215963 CET	445	50354	207.2.237.20	192.168.2.6
Jan 15, 2025 02:59:41.471327066 CET	50354	445	192.168.2.6	207.2.237.20
Jan 15, 2025 02:59:41.471391916 CET	50354	445	192.168.2.6	207.2.237.20
Jan 15, 2025 02:59:41.471489906 CET	50355	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.476270914 CET	445	50354	207.2.237.20	192.168.2.6
Jan 15, 2025 02:59:41.476347923 CET	445	50354	207.2.237.20	192.168.2.6
Jan 15, 2025 02:59:41.476365089 CET	445	50355	207.2.237.1	192.168.2.6
Jan 15, 2025 02:59:41.476411104 CET	50354	445	192.168.2.6	207.2.237.20
Jan 15, 2025 02:59:41.476454973 CET	50355	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.476547956 CET	50355	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.476798058 CET	50356	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.481597900 CET	445	50355	207.2.237.1	192.168.2.6
Jan 15, 2025 02:59:41.481693029 CET	445	50356	207.2.237.1	192.168.2.6
Jan 15, 2025 02:59:41.481724977 CET	50355	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.481759071 CET	50356	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.481803894 CET	50356	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:41.486576080 CET	445	50356	207.2.237.1	192.168.2.6
Jan 15, 2025 02:59:42.014210939 CET	50357	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:42.019140959 CET	445	50357	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:42.019216061 CET	50357	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:42.019522905 CET	50357	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:42.024410963 CET	445	50357	148.225.116.1	192.168.2.6
Jan 15, 2025 02:59:42.292845011 CET	50358	445	192.168.2.6	72.167.90.103
Jan 15, 2025 02:59:42.297864914 CET	445	50358	72.167.90.103	192.168.2.6
Jan 15, 2025 02:59:42.297950029 CET	50358	445	192.168.2.6	72.167.90.103
Jan 15, 2025 02:59:42.297986031 CET	50358	445	192.168.2.6	72.167.90.103
Jan 15, 2025 02:59:42.298332930 CET	50359	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.303092957 CET	445	50358	72.167.90.103	192.168.2.6
Jan 15, 2025 02:59:42.303143978 CET	50358	445	192.168.2.6	72.167.90.103
Jan 15, 2025 02:59:42.303244114 CET	445	50359	72.167.90.1	192.168.2.6
Jan 15, 2025 02:59:42.303318024 CET	50359	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.303333998 CET	50359	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.303719044 CET	50360	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.308295012 CET	445	50359	72.167.90.1	192.168.2.6
Jan 15, 2025 02:59:42.308360100 CET	50359	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.308509111 CET	445	50360	72.167.90.1	192.168.2.6
Jan 15, 2025 02:59:42.308588982 CET	50360	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.308666945 CET	50360	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:42.313419104 CET	445	50360	72.167.90.1	192.168.2.6
Jan 15, 2025 02:59:42.973453999 CET	445	50227	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:42.973619938 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:42.973752022 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:42.973829985 CET	50227	445	192.168.2.6	46.91.122.1
Jan 15, 2025 02:59:42.978524923 CET	445	50227	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:42.978595972 CET	445	50227	46.91.122.1	192.168.2.6
Jan 15, 2025 02:59:42.989053965 CET	445	50226	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:42.989140987 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:42.989183903 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:42.989221096 CET	50226	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:42.993943930 CET	445	50226	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:42.993969917 CET	445	50226	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:43.027003050 CET	50361	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.032001019 CET	445	50361	46.91.122.2	192.168.2.6
Jan 15, 2025 02:59:43.032098055 CET	50361	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.032138109 CET	50361	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.032546997 CET	50362	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.037137032 CET	445	50361	46.91.122.2	192.168.2.6
Jan 15, 2025 02:59:43.037220955 CET	50361	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.037486076 CET	445	50362	46.91.122.2	192.168.2.6
Jan 15, 2025 02:59:43.037558079 CET	50362	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.037597895 CET	50362	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:43.042361975 CET	445	50362	46.91.122.2	192.168.2.6
Jan 15, 2025 02:59:43.058190107 CET	50363	445	192.168.2.6	115.165.57.231
Jan 15, 2025 02:59:43.063375950 CET	445	50363	115.165.57.231	192.168.2.6
Jan 15, 2025 02:59:43.063462019 CET	50363	445	192.168.2.6	115.165.57.231
Jan 15, 2025 02:59:43.063477993 CET	50363	445	192.168.2.6	115.165.57.231
Jan 15, 2025 02:59:43.063604116 CET	50364	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.068471909 CET	445	50363	115.165.57.231	192.168.2.6
Jan 15, 2025 02:59:43.068486929 CET	445	50364	115.165.57.1	192.168.2.6
Jan 15, 2025 02:59:43.068583965 CET	50364	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.068634987 CET	50363	445	192.168.2.6	115.165.57.231
Jan 15, 2025 02:59:43.068703890 CET	50364	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.069026947 CET	50365	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.073529959 CET	445	50364	115.165.57.1	192.168.2.6
Jan 15, 2025 02:59:43.073698997 CET	50364	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.073959112 CET	445	50365	115.165.57.1	192.168.2.6
Jan 15, 2025 02:59:43.074019909 CET	50365	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.074059010 CET	50365	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:43.078933954 CET	445	50365	115.165.57.1	192.168.2.6
Jan 15, 2025 02:59:43.968527079 CET	50367	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:43.973534107 CET	445	50367	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:43.973622084 CET	50367	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:43.973691940 CET	50367	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:43.978569984 CET	445	50367	163.151.111.1	192.168.2.6
Jan 15, 2025 02:59:44.988857985 CET	445	50245	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:44.988936901 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:44.988990068 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:44.989047050 CET	50245	445	192.168.2.6	101.167.235.1
Jan 15, 2025 02:59:44.993120909 CET	445	50244	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:44.993201971 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:44.993315935 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:44.993315935 CET	50244	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:44.993808985 CET	445	50245	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:44.993823051 CET	445	50245	101.167.235.1	192.168.2.6
Jan 15, 2025 02:59:44.998146057 CET	445	50244	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:44.998159885 CET	445	50244	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:45.042644024 CET	50370	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.047481060 CET	445	50370	101.167.235.2	192.168.2.6
Jan 15, 2025 02:59:45.047569036 CET	50370	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.047667980 CET	50370	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.048118114 CET	50371	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.052560091 CET	445	50370	101.167.235.2	192.168.2.6
Jan 15, 2025 02:59:45.052628040 CET	50370	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.052922010 CET	445	50371	101.167.235.2	192.168.2.6
Jan 15, 2025 02:59:45.052989006 CET	50371	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.053035021 CET	50371	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:45.057751894 CET	445	50371	101.167.235.2	192.168.2.6
Jan 15, 2025 02:59:45.997000933 CET	50375	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:46.002208948 CET	445	50375	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:46.002301931 CET	50375	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:46.002351999 CET	50375	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:46.007183075 CET	445	50375	220.177.196.1	192.168.2.6
Jan 15, 2025 02:59:46.973450899 CET	445	50257	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:46.973547935 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:46.973663092 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:46.973663092 CET	50257	445	192.168.2.6	63.231.161.1
Jan 15, 2025 02:59:46.978471041 CET	445	50257	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:46.978482008 CET	445	50257	63.231.161.1	192.168.2.6
Jan 15, 2025 02:59:47.022381067 CET	445	50260	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:47.022511959 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:47.022608995 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:47.022690058 CET	50260	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:47.026921988 CET	50382	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.027386904 CET	445	50260	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:47.027437925 CET	445	50260	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:47.031714916 CET	445	50382	63.231.161.2	192.168.2.6
Jan 15, 2025 02:59:47.031780005 CET	50382	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.031879902 CET	50382	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.032150030 CET	50383	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.036736012 CET	445	50382	63.231.161.2	192.168.2.6
Jan 15, 2025 02:59:47.037056923 CET	445	50383	63.231.161.2	192.168.2.6
Jan 15, 2025 02:59:47.037115097 CET	50383	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.037153006 CET	50383	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.037170887 CET	50382	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:47.041955948 CET	445	50383	63.231.161.2	192.168.2.6
Jan 15, 2025 02:59:47.995784044 CET	50389	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:48.000926971 CET	445	50389	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:48.001048088 CET	50389	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:48.001094103 CET	50389	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:48.005862951 CET	445	50389	159.140.202.1	192.168.2.6
Jan 15, 2025 02:59:48.317640066 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:48.317711115 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:48.317917109 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:48.318461895 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:48.318474054 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:48.895643950 CET	445	50277	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:48.895745993 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:48.895778894 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:48.895823956 CET	50277	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:48.902173042 CET	445	50277	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:48.902187109 CET	445	50277	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:49.069097996 CET	445	50279	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:49.069341898 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:49.069341898 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:49.069600105 CET	50279	445	192.168.2.6	40.9.17.1
Jan 15, 2025 02:59:49.074268103 CET	445	50279	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:49.074342012 CET	445	50279	40.9.17.1	192.168.2.6
Jan 15, 2025 02:59:49.120771885 CET	50404	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.125782013 CET	445	50404	40.9.17.2	192.168.2.6
Jan 15, 2025 02:59:49.125863075 CET	50404	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.125912905 CET	50404	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.126271009 CET	50405	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.130784035 CET	445	50404	40.9.17.2	192.168.2.6
Jan 15, 2025 02:59:49.130862951 CET	50404	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.131016970 CET	445	50405	40.9.17.2	192.168.2.6
Jan 15, 2025 02:59:49.131076097 CET	50405	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.131114006 CET	50405	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:49.135837078 CET	445	50405	40.9.17.2	192.168.2.6
Jan 15, 2025 02:59:49.138397932 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.138508081 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.140450001 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.140463114 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.141225100 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.144345999 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.144397974 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.144407034 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.144515991 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.191332102 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.324827909 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.324920893 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.325372934 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.325406075 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:49.325418949 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.325418949 CET	50394	443	192.168.2.6	40.113.110.67
Jan 15, 2025 02:59:49.325428009 CET	443	50394	40.113.110.67	192.168.2.6
Jan 15, 2025 02:59:50.026818037 CET	50415	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:50.032834053 CET	445	50415	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:50.032927036 CET	50415	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:50.032954931 CET	50415	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:50.038794994 CET	445	50415	148.177.241.1	192.168.2.6
Jan 15, 2025 02:59:50.660984993 CET	445	50292	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:50.661216021 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:50.661216021 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:50.661258936 CET	50292	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:50.666258097 CET	445	50292	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:50.666269064 CET	445	50292	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:51.004616022 CET	445	50293	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:51.004678965 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:51.004719973 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:51.004740000 CET	50293	445	192.168.2.6	155.184.140.1
Jan 15, 2025 02:59:51.009515047 CET	445	50293	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:51.009526014 CET	445	50293	155.184.140.1	192.168.2.6
Jan 15, 2025 02:59:51.058399916 CET	50433	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.063311100 CET	445	50433	155.184.140.2	192.168.2.6
Jan 15, 2025 02:59:51.063478947 CET	50433	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.063555956 CET	50433	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.064162970 CET	50434	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.068424940 CET	445	50433	155.184.140.2	192.168.2.6
Jan 15, 2025 02:59:51.068520069 CET	50433	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.068938971 CET	445	50434	155.184.140.2	192.168.2.6
Jan 15, 2025 02:59:51.068996906 CET	50434	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.069030046 CET	50434	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:51.073759079 CET	445	50434	155.184.140.2	192.168.2.6
Jan 15, 2025 02:59:51.902019978 CET	50451	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:51.907342911 CET	445	50451	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:51.907478094 CET	50451	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:51.907804966 CET	50451	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:51.912739038 CET	445	50451	175.101.165.1	192.168.2.6
Jan 15, 2025 02:59:52.286830902 CET	445	50306	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:52.286952972 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:52.287072897 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:52.287112951 CET	50306	445	192.168.2.6	55.211.247.1
Jan 15, 2025 02:59:52.291800022 CET	445	50306	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:52.291939020 CET	445	50306	55.211.247.1	192.168.2.6
Jan 15, 2025 02:59:53.317320108 CET	445	50313	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:53.317630053 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:53.317630053 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:53.317630053 CET	50313	445	192.168.2.6	72.138.233.1
Jan 15, 2025 02:59:53.322458982 CET	445	50313	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:53.322473049 CET	445	50313	72.138.233.1	192.168.2.6
Jan 15, 2025 02:59:53.370631933 CET	50495	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.375477076 CET	445	50495	72.138.233.2	192.168.2.6
Jan 15, 2025 02:59:53.375566959 CET	50495	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.375638962 CET	50495	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.375834942 CET	50497	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.380695105 CET	445	50495	72.138.233.2	192.168.2.6
Jan 15, 2025 02:59:53.380711079 CET	445	50497	72.138.233.2	192.168.2.6
Jan 15, 2025 02:59:53.380779982 CET	50495	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.380832911 CET	50497	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.380873919 CET	50497	445	192.168.2.6	72.138.233.2
Jan 15, 2025 02:59:53.385694027 CET	445	50497	72.138.233.2	192.168.2.6
Jan 15, 2025 02:59:53.667391062 CET	50511	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:53.672282934 CET	445	50511	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:53.672370911 CET	50511	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:53.672390938 CET	50511	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:53.677256107 CET	445	50511	159.199.82.1	192.168.2.6
Jan 15, 2025 02:59:53.822762012 CET	445	50320	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:53.822843075 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:53.822882891 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:53.822958946 CET	50320	445	192.168.2.6	14.41.247.1
Jan 15, 2025 02:59:53.827691078 CET	445	50320	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:53.827737093 CET	445	50320	14.41.247.1	192.168.2.6
Jan 15, 2025 02:59:55.244856119 CET	445	50324	114.251.20.1	192.168.2.6
Jan 15, 2025 02:59:55.244921923 CET	50324	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:55.287705898 CET	445	50325	18.166.199.1	192.168.2.6
Jan 15, 2025 02:59:55.287760973 CET	50325	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:56.128369093 CET	50334	445	192.168.2.6	35.203.187.2
Jan 15, 2025 02:59:56.128379107 CET	50415	445	192.168.2.6	148.177.241.1
Jan 15, 2025 02:59:56.128457069 CET	50360	445	192.168.2.6	72.167.90.1
Jan 15, 2025 02:59:56.128475904 CET	50383	445	192.168.2.6	63.231.161.2
Jan 15, 2025 02:59:56.128526926 CET	50451	445	192.168.2.6	175.101.165.1
Jan 15, 2025 02:59:56.128566027 CET	50343	445	192.168.2.6	161.113.71.2
Jan 15, 2025 02:59:56.128597975 CET	50362	445	192.168.2.6	46.91.122.2
Jan 15, 2025 02:59:56.128654957 CET	50405	445	192.168.2.6	40.9.17.2
Jan 15, 2025 02:59:56.128653049 CET	50325	445	192.168.2.6	18.166.199.1
Jan 15, 2025 02:59:56.128679037 CET	50371	445	192.168.2.6	101.167.235.2
Jan 15, 2025 02:59:56.128725052 CET	50375	445	192.168.2.6	220.177.196.1
Jan 15, 2025 02:59:56.128856897 CET	50329	445	192.168.2.6	23.170.165.1
Jan 15, 2025 02:59:56.128894091 CET	50332	445	192.168.2.6	84.223.7.1
Jan 15, 2025 02:59:56.128912926 CET	50328	445	192.168.2.6	181.130.123.1
Jan 15, 2025 02:59:56.128912926 CET	50337	445	192.168.2.6	65.242.217.1
Jan 15, 2025 02:59:56.128930092 CET	50324	445	192.168.2.6	114.251.20.1
Jan 15, 2025 02:59:56.128932953 CET	50338	445	192.168.2.6	31.108.191.1
Jan 15, 2025 02:59:56.128972054 CET	50341	445	192.168.2.6	23.53.146.1
Jan 15, 2025 02:59:56.128998995 CET	50346	445	192.168.2.6	171.163.176.1
Jan 15, 2025 02:59:56.129062891 CET	50350	445	192.168.2.6	49.55.159.1
Jan 15, 2025 02:59:56.129107952 CET	50353	445	192.168.2.6	185.104.232.2
Jan 15, 2025 02:59:56.129139900 CET	50356	445	192.168.2.6	207.2.237.1
Jan 15, 2025 02:59:56.129163027 CET	50347	445	192.168.2.6	100.236.46.1
Jan 15, 2025 02:59:56.129164934 CET	50357	445	192.168.2.6	148.225.116.1
Jan 15, 2025 02:59:56.129190922 CET	50365	445	192.168.2.6	115.165.57.1
Jan 15, 2025 02:59:56.129215002 CET	50367	445	192.168.2.6	163.151.111.1
Jan 15, 2025 02:59:56.129326105 CET	50434	445	192.168.2.6	155.184.140.2
Jan 15, 2025 02:59:56.129412889 CET	50389	445	192.168.2.6	159.140.202.1
Jan 15, 2025 02:59:56.129415989 CET	50511	445	192.168.2.6	159.199.82.1
Jan 15, 2025 02:59:56.129502058 CET	50497	445	192.168.2.6	72.138.233.2
Jan 15, 2025 03:00:20.881232023 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:20.881258011 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:20.881321907 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:20.882158041 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:20.882169008 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.690294981 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.690385103 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.695239067 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.695250988 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.695506096 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.697094917 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.697151899 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.697158098 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.697360992 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.743333101 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.855133057 CET	49705	80	192.168.2.6	2.23.77.188
Jan 15, 2025 03:00:21.855436087 CET	49703	443	192.168.2.6	20.190.159.75
Jan 15, 2025 03:00:21.860076904 CET	80	49705	2.23.77.188	192.168.2.6
Jan 15, 2025 03:00:21.860133886 CET	49705	80	192.168.2.6	2.23.77.188
Jan 15, 2025 03:00:21.860511065 CET	443	49703	20.190.159.75	192.168.2.6
Jan 15, 2025 03:00:21.860565901 CET	49703	443	192.168.2.6	20.190.159.75
Jan 15, 2025 03:00:21.868665934 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.868774891 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:21.868837118 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.869064093 CET	50630	443	192.168.2.6	40.113.110.67
Jan 15, 2025 03:00:21.869082928 CET	443	50630	40.113.110.67	192.168.2.6
Jan 15, 2025 03:00:24.120584965 CET	49707	443	192.168.2.6	20.190.159.75
Jan 15, 2025 03:00:24.125663042 CET	443	49707	20.190.159.75	192.168.2.6
Jan 15, 2025 03:00:24.125734091 CET	49707	443	192.168.2.6	20.190.159.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:58:48.174979925 CET	56606	53	192.168.2.6	1.1.1.1
Jan 15, 2025 02:58:48.480828047 CET	53	56606	1.1.1.1	192.168.2.6
Jan 15, 2025 02:58:49.228581905 CET	57193	53	192.168.2.6	1.1.1.1
Jan 15, 2025 02:58:49.411623955 CET	53	57193	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 02:58:48.174979925 CET	192.168.2.6	1.1.1.1	0xa498	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:58:49.228581905 CET	192.168.2.6	1.1.1.1	0x3d9b	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 02:58:48.480828047 CET	1.1.1.1	192.168.2.6	0xa498	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:58:49.411623955 CET	1.1.1.1	192.168.2.6	0x3d9b	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 02:58:49.411623955 CET	1.1.1.1	192.168.2.6	0x3d9b	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	103.224.212.215	80	6656	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:48.492455006 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 02:58:49.093451977 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:49 GMT server: Apache set-cookie: __tad=1736906329.4755573; expires=Sat, 13-Jan-2035 01:58:49 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	199.59.243.228	80	6656	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:49.429986954 CET	169	OUT	GET /?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 02:58:49.895385027 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:49 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: a1a59836-c29b-4307-ae59-a2380c47c41f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lSqKrO7JRS8rpdAoqZdeFSX3m77Kc56FqN36DP2zY6K2p3B/S1tHVCpeSg0EIroHWk05nWu2WS8SLJDVe3uMXA== set-cookie: parking_session=a1a59836-c29b-4307-ae59-a2380c47c41f; expires=Wed, 15 Jan 2025 02:13:49 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6c 53 71 4b 72 4f 37 4a 52 53 38 72 70 64 41 6f 71 5a 64 65 46 53 58 33 6d 37 37 4b 63 35 36 46 71 4e 33 36 44 50 32 7a 59 36 4b 32 70 33 42 2f 53 31 74 48 56 43 70 65 53 67 30 45 49 72 6f 48 57 6b 30 35 6e 57 75 32 57 53 38 53 4c 4a 44 56 65 33 75 4d 58 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_lSqKrO7JRS8rpdAoqZdeFSX3m77Kc56FqN36DP2zY6K2p3B/S1tHVCpeSg0EIroHWk05nWu2WS8SLJDVe3uMXA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 02:58:49.895508051 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTFhNTk4MzYtYzI5Yi00MzA3LWFlNTktYTIzODBjNDdjNDFmIiwicGFnZV90aW1lIjoxNzM2OTA2MzI5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49713	103.224.212.215	80	5396	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:50.030791044 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 02:58:50.638276100 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:50 GMT server: Apache set-cookie: __tad=1736906330.8135627; expires=Sat, 13-Jan-2035 01:58:50 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc110a content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49714	103.224.212.215	80	6752	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:50.443291903 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736906329.4755573
Jan 15, 2025 02:58:51.042836905 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 01:58:50 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423bb5 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49720	199.59.243.228	80	5396	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:50.647815943 CET	169	OUT	GET /?subid1=20250115-1258-50c9-a80a-e88809fc110a HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 02:58:51.136511087 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:50 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: b18ba605-2ff0-49d5-9465-ecf7ed54bef4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hmpkYa8f/shn/0Qs+xlKDE3o8PzHE1LptxT6oRrXBTZJ82WdAa/LoceoKbfebHz5WfrZwtQZi5QG+TQ0ksHD4A== set-cookie: parking_session=b18ba605-2ff0-49d5-9465-ecf7ed54bef4; expires=Wed, 15 Jan 2025 02:13:51 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 6d 70 6b 59 61 38 66 2f 73 68 6e 2f 30 51 73 2b 78 6c 4b 44 45 33 6f 38 50 7a 48 45 31 4c 70 74 78 54 36 6f 52 72 58 42 54 5a 4a 38 32 57 64 41 61 2f 4c 6f 63 65 6f 4b 62 66 65 62 48 7a 35 57 66 72 5a 77 74 51 5a 69 35 51 47 2b 54 51 30 6b 73 48 44 34 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hmpkYa8f/shn/0Qs+xlKDE3o8PzHE1LptxT6oRrXBTZJ82WdAa/LoceoKbfebHz5WfrZwtQZi5QG+TQ0ksHD4A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 02:58:51.136528969 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjE4YmE2MDUtMmZmMC00OWQ1LTk0NjUtZWNmN2VkNTRiZWY0IiwicGFnZV90aW1lIjoxNzM2OTA2MzMxLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49721	199.59.243.228	80	6752	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:58:51.052824020 CET	231	OUT	GET /?subid1=20250115-1258-50a1-9cf3-708b13423bb5 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=a1a59836-c29b-4307-ae59-a2380c47c41f
Jan 15, 2025 02:58:51.518809080 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 01:58:51 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: f9321d36-9857-44c9-b5e8-ed5c41173b96 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IzXOzdmbIhNshfk3snOdy4NGDq8qxPryCsWM7wUhl/b++WP4Hb27fW6nnWnCzjXmemT0eoNf5z3wYJEbIVrJug== set-cookie: parking_session=a1a59836-c29b-4307-ae59-a2380c47c41f; expires=Wed, 15 Jan 2025 02:13:51 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 7a 58 4f 7a 64 6d 62 49 68 4e 73 68 66 6b 33 73 6e 4f 64 79 34 4e 47 44 71 38 71 78 50 72 79 43 73 57 4d 37 77 55 68 6c 2f 62 2b 2b 57 50 34 48 62 32 37 66 57 36 6e 6e 57 6e 43 7a 6a 58 6d 65 6d 54 30 65 6f 4e 66 35 7a 33 77 59 4a 45 62 49 56 72 4a 75 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IzXOzdmbIhNshfk3snOdy4NGDq8qxPryCsWM7wUhl/b++WP4Hb27fW6nnWnCzjXmemT0eoNf5z3wYJEbIVrJug==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 02:58:51.518829107 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTFhNTk4MzYtYzI5Yi00MzA3LWFlNTktYTIzODBjNDdjNDFmIiwicGFnZV90aW1lIjoxNzM2OTA2MzMxLCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 01:58:46 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 69 4e 48 41 36 72 71 45 42 6b 6d 52 71 54 71 76 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 39 37 61 35 32 36 37 36 63 35 65 63 35 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: iNHA6rqEBkmRqTqv.1Context: 4197a52676c5ec59
2025-01-15 01:58:46 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 01:58:46 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 69 4e 48 41 36 72 71 45 42 6b 6d 52 71 54 71 76 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 39 37 61 35 32 36 37 36 63 35 65 63 35 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: iNHA6rqEBkmRqTqv.2Context: 4197a52676c5ec59<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUp
2025-01-15 01:58:46 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 69 4e 48 41 36 72 71 45 42 6b 6d 52 71 54 71 76 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 31 39 37 61 35 32 36 37 36 63 35 65 63 35 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: iNHA6rqEBkmRqTqv.3Context: 4197a52676c5ec59<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 01:58:46 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 01:58:46 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 78 48 67 63 64 75 54 73 41 6b 61 73 37 50 75 34 68 6f 50 4f 45 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: xHgcduTsAkas7Pu4hoPOEg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49772	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 01:58:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 63 2f 31 62 6c 34 7a 6b 7a 30 2b 79 61 36 67 4c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 63 34 34 30 30 35 38 65 35 66 62 34 64 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: c/1bl4zkz0+ya6gL.1Context: bcc440058e5fb4dc
2025-01-15 01:58:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 01:58:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 63 2f 31 62 6c 34 7a 6b 7a 30 2b 79 61 36 67 4c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 63 34 34 30 30 35 38 65 35 66 62 34 64 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: c/1bl4zkz0+ya6gL.2Context: bcc440058e5fb4dc<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUp
2025-01-15 01:58:54 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 63 2f 31 62 6c 34 7a 6b 7a 30 2b 79 61 36 67 4c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 63 34 34 30 30 35 38 65 35 66 62 34 64 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: c/1bl4zkz0+ya6gL.3Context: bcc440058e5fb4dc<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 01:58:54 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 01:58:54 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 31 4a 48 34 58 31 41 47 59 45 6d 54 5a 73 44 6e 50 6d 35 2b 33 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 1JH4X1AGYEmTZsDnPm5+3w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	49992	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 01:59:06 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 45 72 6e 41 4e 72 50 36 79 55 4b 76 64 32 6e 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 33 30 38 37 36 61 65 35 35 33 33 33 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: ErnANrP6yUKvd2nH.1Context: 7d30876ae553332
2025-01-15 01:59:06 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 01:59:06 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 45 72 6e 41 4e 72 50 36 79 55 4b 76 64 32 6e 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 33 30 38 37 36 61 65 35 35 33 33 33 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 51 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: ErnANrP6yUKvd2nH.2Context: 7d30876ae553332<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUpQ
2025-01-15 01:59:06 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 45 72 6e 41 4e 72 50 36 79 55 4b 76 64 32 6e 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 33 30 38 37 36 61 65 35 35 33 33 33 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: ErnANrP6yUKvd2nH.3Context: 7d30876ae553332<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 01:59:06 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 01:59:06 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 63 64 65 79 66 71 2b 58 72 55 71 72 77 64 49 56 4f 61 75 73 74 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: cdeyfq+XrUqrwdIVOaustw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50251	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 01:59:25 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 54 59 4b 42 35 75 61 2f 54 6b 47 4e 59 49 41 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 66 65 32 31 62 65 32 66 35 62 32 31 35 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: TYKB5ua/TkGNYIA3.1Context: b9fe21be2f5b215b
2025-01-15 01:59:25 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 01:59:25 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 54 59 4b 42 35 75 61 2f 54 6b 47 4e 59 49 41 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 66 65 32 31 62 65 32 66 35 62 32 31 35 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: TYKB5ua/TkGNYIA3.2Context: b9fe21be2f5b215b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUp
2025-01-15 01:59:25 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 54 59 4b 42 35 75 61 2f 54 6b 47 4e 59 49 41 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 66 65 32 31 62 65 32 66 35 62 32 31 35 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: TYKB5ua/TkGNYIA3.3Context: b9fe21be2f5b215b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 01:59:25 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 01:59:25 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 55 7a 6a 68 69 45 59 4e 75 45 79 70 6d 42 6c 6d 58 5a 72 30 57 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: UzjhiEYNuEypmBlmXZr0Wg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50394	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 01:59:49 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 67 69 54 78 4a 6e 6b 4b 64 45 2b 35 4e 39 45 78 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 30 63 30 61 39 61 65 63 66 39 33 61 35 37 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: giTxJnkKdE+5N9Ex.1Context: 730c0a9aecf93a57
2025-01-15 01:59:49 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 01:59:49 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 67 69 54 78 4a 6e 6b 4b 64 45 2b 35 4e 39 45 78 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 30 63 30 61 39 61 65 63 66 39 33 61 35 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: giTxJnkKdE+5N9Ex.2Context: 730c0a9aecf93a57<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUp
2025-01-15 01:59:49 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 67 69 54 78 4a 6e 6b 4b 64 45 2b 35 4e 39 45 78 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 30 63 30 61 39 61 65 63 66 39 33 61 35 37 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: giTxJnkKdE+5N9Ex.3Context: 730c0a9aecf93a57<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 01:59:49 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 01:59:49 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 54 65 30 78 65 33 4b 73 61 45 53 4a 57 2f 79 6d 78 6a 64 56 76 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Te0xe3KsaESJW/ymxjdVvA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50630	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 02:00:21 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 55 45 50 43 4a 51 52 50 4d 45 69 66 6a 58 46 30 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 38 63 34 36 35 66 61 66 36 33 35 35 61 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: UEPCJQRPMEifjXF0.1Context: 5f8c465faf6355a3
2025-01-15 02:00:21 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 02:00:21 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 55 45 50 43 4a 51 52 50 4d 45 69 66 6a 58 46 30 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 38 63 34 36 35 66 61 66 36 33 35 35 61 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 48 6f 32 6b 35 34 70 50 46 49 41 55 4f 77 76 5a 70 49 39 75 59 59 6b 71 35 5a 54 7a 44 74 4f 48 34 32 48 69 4f 58 4e 78 6d 6c 52 61 69 72 68 45 49 79 6a 74 74 4b 68 39 2f 63 39 58 61 48 36 78 62 2f 6f 6c 63 64 47 48 56 4d 6e 70 51 4e 59 6f 4b 66 72 33 38 78 7a 31 30 74 62 78 73 42 63 50 67 4d 75 56 34 30 31 53 78 49 55 70 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: UEPCJQRPMEifjXF0.2Context: 5f8c465faf6355a3<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATHo2k54pPFIAUOwvZpI9uYYkq5ZTzDtOH42HiOXNxmlRairhEIyjttKh9/c9XaH6xb/olcdGHVMnpQNYoKfr38xz10tbxsBcPgMuV401SxIUp
2025-01-15 02:00:21 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 55 45 50 43 4a 51 52 50 4d 45 69 66 6a 58 46 30 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 38 63 34 36 35 66 61 66 36 33 35 35 61 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: UEPCJQRPMEifjXF0.3Context: 5f8c465faf6355a3<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 02:00:21 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 02:00:21 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 34 32 49 78 52 63 75 65 6b 45 6d 48 75 4a 42 58 63 57 65 38 76 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 42IxRcuekEmHuJBXcWe8vQ.0Payload parsing failed.

Target ID:	0
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll"
Imagebase:	0x900000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\NLWfV87ouS.dll,PlayGame
Imagebase:	0xa10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",#1
Imagebase:	0xa10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:58:46
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6F25163220B24FB054B144BE9F82C096
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2171769143.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvr.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvr.exe, Author: Florian Roth (based on rule by US CERT)
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:58:49
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6F25163220B24FB054B144BE9F82C096
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2195861336.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2849584166.0000000001E5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2849831934.0000000002381000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:58:49
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\NLWfV87ouS.dll",PlayGame
Imagebase:	0xa10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:58:49
Start date:	14/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	6F25163220B24FB054B144BE9F82C096
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2213069023.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2199520983.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WriteFile, xrefs: 00407D1C
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12

Memory Dump Source

Source File: 00000006.00000002.2208982673.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2208967105.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209003050.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209059971.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209149463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2208982673.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2208967105.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209003050.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209059971.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209149463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2208982673.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2208967105.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209003050.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209059971.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209149463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90
mssecsvc2.1, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2208982673.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2208967105.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209003050.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209059971.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209149463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2208982673.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2208967105.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209003050.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209059971.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2209149463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 5396, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2848770341.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2848755748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848786545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848851957.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848866187.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848962196.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2848770341.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2848755748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848786545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848851957.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848866187.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848962196.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000008.00000002.2848770341.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2848755748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848786545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848851957.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848866187.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848962196.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000008.00000002.2848770341.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2848755748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848786545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848851957.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848866187.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848962196.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2848770341.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2848755748.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848786545.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848801495.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848851957.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848866187.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2848962196.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423b	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/n	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc11	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc110a	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423bb5	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 86%
Source: C:\Windows\mssecsvr.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 86%

Source: C:\Windows\mssecsvr.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: NLWfV87ouS.dll	Virustotal: Detection: 94%			Perma Link
Source: NLWfV87ouS.dll	ReversingLabs: Detection: 92%

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50630 version: TLS 1.2

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-49b3-8be1-4b52c7dcf2a9 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736906329.4755573
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-50c9-a80a-e88809fc110a HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?subid1=20250115-1258-50a1-9cf3-708b13423bb5 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=a1a59836-c29b-4307-ae59-a2380c47c41f

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49713 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 103.224.212.215:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.0
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.0
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.0
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.0
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.203.187.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.198
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.198
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.198
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.198
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.113.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.104.232.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.159
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1
Source: unknown	TCP traffic detected without corresponding DNS query: 46.91.122.1

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-49b3-8be1-4b52c7dcf2
Source: mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50a1-9cf3-708b13423b
Source: mssecsvr.exe, 00000008.00000002.2849180029.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2208462022.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-1258-50c9-a80a-e88809fc11
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/n
Source: mssecsvr.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2208462022.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2849180029.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2213559856.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.2213559856.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/7
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/:s~A
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/us
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/~
Source: mssecsvr.exe, 0000000A.00000002.2213559856.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com2$6.5
Source: mssecsvr.exe, 00000008.00000002.2848722808.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000006.00000002.2209504571.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comYs
Source: mssecsvr.exe, 00000008.00000002.2849180029.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commmEn

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50394
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50630
Source: unknown	Network traffic detected: HTTP traffic on port 50630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: Yara match	File source: NLWfV87ouS.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvr.exe.23728c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e5e104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e4f084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2381948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e5e104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.1e5a0a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.237d8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvr.exe.2381948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2848837892.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2213069023.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2195861336.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2199520983.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2171769143.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2209019561.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2849584166.0000000001E5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2849831934.0000000002381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 5396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvr.exe, type: DROPPED

Source: NLWfV87ouS.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23728c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e4f084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23728c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.23728c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e4f084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1e4f084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2381948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2381948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e5e104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1e5a0a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.237d8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2381948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)

Source: NLWfV87ouS.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23728c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e4f084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23728c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.23728c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e5e104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e4f084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1e4f084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2381948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2381948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e5e104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1e5a0a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.237d8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2381948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvr.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A

Source: tasksche.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NLWfV87ouS.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvr.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
NLWfV87ouS.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre