Edit tour

Windows Analysis Report
2lX8Z3eydC.dll

Overview

General Information

Sample name:	2lX8Z3eydC.dll renamed because original name is a hash value
Original sample name:	f356feea7d644eacf46ec2266b13b456.dll
Analysis ID:	1592032
MD5:	f356feea7d644eacf46ec2266b13b456
SHA1:	f90b66ee791e9ad7d5303057beb7ed1de6f9ae8d
SHA256:	63785c337d06fa167b999584d2ed0e47e6e1698a48153b4bc2a41689da5289b1
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many IPs within the same subnet mask (likely port scanning)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5644 cmdline: loaddll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3496 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6404 cmdline: rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 4328 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 178018208D64CFFD440180008D212F1A)

rundll32.exe (PID: 5252 cmdline: rundll32.exe C:\Users\user\Desktop\2lX8Z3eydC.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1656 cmdline: rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 3796 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 178018208D64CFFD440180008D212F1A)

mssecsvc.exe (PID: 2012 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 178018208D64CFFD440180008D212F1A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2lX8Z3eydC.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2lX8Z3eydC.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2170224322.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2162227567.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2188539151.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2190736841.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2811124459.0000000002292000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2810873658.0000000001D66000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 4328	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 2012	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 3796	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.1d57084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1d57084.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.22838c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.22838c8.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.22b596c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.22b596c.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.22838c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.22838c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.22838c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.22838c8.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
10.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d89128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d89128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d66104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d66104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d66104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1d66104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d66104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d89128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d89128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.22b596c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.22b596c.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.2292948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.2292948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.2292948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d57084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d57084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x27fbb0:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x24a26c:$x7: mssecsvc.exe 0x265b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27fb88:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x24a254:$s1: C:\%s\%s 0x265b7c:$s1: C:\%s\%s 0x27fb9c:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x27ced0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x26a2c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x257975:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x2520ba:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1d57084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1d57084.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2828fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x256984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2568d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25825a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2880a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.2292948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.2292948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.228e8e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.228e8e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d620a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d620a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
Click to see the 77 entries

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03

Source: 2lX8Z3eydC.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2lX8Z3eydC.dll,PlayGame

Source: 2lX8Z3eydC.dll	ReversingLabs: Detection: 92%
Source: 2lX8Z3eydC.dll	Virustotal: Detection: 90%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2lX8Z3eydC.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2lX8Z3eydC.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 2lX8Z3eydC.dll

Static file information: File size 5267459 > 1048576

Source: 2lX8Z3eydC.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvc.exe

Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep time: -172000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6080	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6080	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 0000000A.00000002.2191172244.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: mssecsvc.exe, 00000006.00000002.2181573620.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2810607069.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2lX8Z3eydC.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
2lX8Z3eydC.dll	90%	Virustotal		Browse
2lX8Z3eydC.dll	100%	Avira	TR/Ransom.Gen
2lX8Z3eydC.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
221.250.196.1	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
167.139.11.44	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
5.166.179.137	unknown	Russian Federation	12768	ER-TELECOM-ASRU	false
32.209.198.19	unknown	United States	46690	SNET-FCCUS	false
131.24.232.195	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
128.171.224.1	unknown	United States	6360	UNIVHAWAIIUS	false
215.114.213.132	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
64.71.233.8	unknown	United States	27229	WEBHOST-ASN1US	false
64.71.233.2	unknown	United States	27229	WEBHOST-ASN1US	false
64.71.233.1	unknown	United States	27229	WEBHOST-ASN1US	false
215.114.213.1	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
158.219.90.2	unknown	United States	2274	CBOUS	false
158.219.90.1	unknown	United States	2274	CBOUS	false
86.64.193.173	unknown	France	15557	LDCOMNETFR	false
176.57.93.132	unknown	Slovenia	3212	TELEMACHBroadbandAccessCarrierServicesSI	false
183.177.251.218	unknown	Japan	2519	VECTANTARTERIANetworksCorporationJP	false
32.209.198.2	unknown	United States	46690	SNET-FCCUS	false
32.209.198.1	unknown	United States	46690	SNET-FCCUS	false
107.234.183.19	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
201.222.228.147	unknown	Chile	7418	TELEFONICACHILESACL	false
153.9.75.60	unknown	United States	13548	CHARLESTON-ASUS	true
126.217.0.2	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
126.217.0.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
67.15.60.1	unknown	United States	36351	SOFTLAYERUS	false
126.217.0.4	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
126.217.0.3	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592032
Start date and time:	2025-01-15 17:12:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2lX8Z3eydC.dll renamed because original name is a hash value
Original Sample Name:	f356feea7d644eacf46ec2266b13b456.dll
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winDLL@18/3@0/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.23.77.188, 199.232.214.172, 217.20.57.20, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:13:04	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:13:37	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ER-TELECOM-ASRU	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	81.19.73.31
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	81.19.73.31
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	81.19.73.31
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	46.147.58.102
	ppc.elf	Get hash	malicious	Unknown	Browse	46.146.187.169
	jew.arm.elf	Get hash	malicious	Unknown	Browse	46.146.25.162
	a9YMw44iQq.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	5.166.171.54
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	46.146.25.127
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	46.146.139.233
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	46.146.98.8
SNET-FCCUS	ppc.elf	Get hash	malicious	Unknown	Browse	32.212.164.124
	momo.mips.elf	Get hash	malicious	Mirai	Browse	32.212.164.103
	armv4l.elf	Get hash	malicious	Mirai	Browse	32.221.43.196
	splsh4.elf	Get hash	malicious	Unknown	Browse	32.211.253.73
	nklm68k.elf	Get hash	malicious	Unknown	Browse	32.220.131.224
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	32.208.36.201
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	32.223.84.220
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	32.219.148.67
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.220.253.163
	IGz.x86.elf	Get hash	malicious	Mirai	Browse	32.211.102.53
UCOMARTERIANetworksCorporationJP	bot.spc.elf	Get hash	malicious	Unknown	Browse	113.32.51.88
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	122.211.182.76
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	43.238.151.212
	i686.elf	Get hash	malicious	Mirai	Browse	59.87.31.27
	arm5.elf	Get hash	malicious	Mirai	Browse	43.234.132.32
	xd.mips.elf	Get hash	malicious	Mirai	Browse	59.87.13.179
	xd.spc.elf	Get hash	malicious	Mirai	Browse	113.36.203.167
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	220.151.124.6
	la.bot.x86_64.elf	Get hash	malicious	Mirai	Browse	43.237.252.90
	ruXU7wj3X9.dll	Get hash	malicious	Wannacry	Browse	124.35.234.1
CHINANET-SH-APChinaTelecomGroupCN	bot.x86.elf	Get hash	malicious	Unknown	Browse	101.87.175.147
	bot.spc.elf	Get hash	malicious	Unknown	Browse	202.101.35.137
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	180.152.101.163
	bot.arm.elf	Get hash	malicious	Unknown	Browse	114.87.176.14
	i686.elf	Get hash	malicious	Mirai	Browse	45.124.125.139
	sh4.elf	Get hash	malicious	Mirai	Browse	116.192.8.62
	arm4.elf	Get hash	malicious	Mirai	Browse	45.124.125.117
	mpsl.elf	Get hash	malicious	Mirai	Browse	222.69.32.67
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	116.233.80.35
	mips.elf	Get hash	malicious	Mirai	Browse	124.75.117.239

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	173.222.162.64
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://reviewpolicysocialreach.vercel.app/help&z/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	Updater.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	Updater.exe	Get hash	malicious	Unknown	Browse	40.113.103.199
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	40.113.103.199
	https://pub-2d00d32ff6d84ef6999828eaf509b772.r2.dev/index.html#watson.becky@aidb.org	Get hash	malicious	HTMLPhisher	Browse	40.113.103.199
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.103.199
	http://www.flamingoblv.com	Get hash	malicious	Unknown	Browse	40.113.103.199
	NZZ71x6Cyz.dll	Get hash	malicious	Wannacry	Browse	40.113.103.199
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	40.113.103.199

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.9952915977400725
Encrypted:	true
SSDEEP:	98304:QpNcZ/+OawKZO/Q0qHPRJAKvSteNbsBLkVGXX:QncZzajOI0mvA9df
MD5:	135AF9459A23DB081FD7DFA9D085580B
SHA1:	1D288377407581B51127CAC078F4E32FEBC99D96
SHA-256:	9A015A8577A43C76B11DD0E79D12901E03AFD71394AFD046DB699A215B338908
SHA-512:	4836C9506C5C47AA1464155A4E52AA01EF0C61BE5838B962D9729681303B0B983F4E12CCDB14F6D2FEE6FB0AC425645F806AA0148CFF7B3956DF21A6A2F6784E
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	7.9689598026856405
Encrypted:	false
SSDEEP:	98304:Z8pNcZ/+OawKZO/Q0qHPRJAKvSteNbsBLkVGXS:Z8ncZzajOI0mvA9dK
MD5:	178018208D64CFFD440180008D212F1A
SHA1:	F9ED18B62C28CD012F91A9137D284EFF44518641
SHA-256:	01200B11BBEB18E5F322CF705296256A07985ED69BF9B78F4E73BD3E7659FB51
SHA-512:	3FD34C807A3AF58E6FC31AFC9214E6BE58064C9C62651F321B7088BDDF48D879FE02CB9DC5DB66E362BD0CDCE47F0E571ED086B0CA017B3595947E151BD005ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.9952915977400725
Encrypted:	true
SSDEEP:	98304:QpNcZ/+OawKZO/Q0qHPRJAKvSteNbsBLkVGXX:QncZzajOI0mvA9df
MD5:	135AF9459A23DB081FD7DFA9D085580B
SHA1:	1D288377407581B51127CAC078F4E32FEBC99D96
SHA-256:	9A015A8577A43C76B11DD0E79D12901E03AFD71394AFD046DB699A215B338908
SHA-512:	4836C9506C5C47AA1464155A4E52AA01EF0C61BE5838B962D9729681303B0B983F4E12CCDB14F6D2FEE6FB0AC425645F806AA0148CFF7B3956DF21A6A2F6784E
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.42288173845038
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2lX8Z3eydC.dll
File size:	5'267'459 bytes
MD5:	f356feea7d644eacf46ec2266b13b456
SHA1:	f90b66ee791e9ad7d5303057beb7ed1de6f9ae8d
SHA256:	63785c337d06fa167b999584d2ed0e47e6e1698a48153b4bc2a41689da5289b1
SHA512:	11cecee6f11f81cbe1f0c1e208f56a5e93e35b57ee28cd9bd35ca518f3580b117716f1a04e7746d7a7dff29d529822d03ea3ca677900f738c651abed714ceb44
SSDEEP:	98304:d8pNcZ/+OawKZO/Q0qHPRJAKvSteNbsBLkVGX:d8ncZzajOI0mvA9d
TLSH:	E8361239FE4F94EEC0B0843CC023A99F11B19E669531AE626DF9CF424E47B56E351A07
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FC3C46B4AFBh
cmp dword ptr [10003140h], 00000000h
jmp 00007FC3C46B4B18h
cmp esi, 01h
je 00007FC3C46B4AF7h
cmp esi, 02h
jne 00007FC3C46B4B14h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC3C46B4AFBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FC3C46B4AFEh
push edi
push esi
push ebx
call 00007FC3C46B4A0Ah
test eax, eax
jne 00007FC3C46B4AF6h
xor eax, eax
jmp 00007FC3C46B4B40h
push edi
push esi
push ebx
call 00007FC3C46B48BCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FC3C46B4AFEh
test eax, eax
jne 00007FC3C46B4B29h
push edi
push eax
push ebx
call 00007FC3C46B49E6h
test esi, esi
je 00007FC3C46B4AF7h
cmp esi, 03h
jne 00007FC3C46B4B18h
push edi
push esi
push ebx
call 00007FC3C46B49D5h
test eax, eax
jne 00007FC3C46B4AF5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FC3C46B4B03h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC3C46B4AFAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	bea982eda69f31a6f613dd4b3bca64de	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8695516586303711

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:12:56.084516048 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:12:56.084583044 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:12:56.397005081 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:02.348862886 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:02.348954916 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:02.349071026 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:02.349850893 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:02.349884987 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.185605049 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.185694933 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.191005945 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.191035986 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.191358089 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.196125984 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.196261883 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.196274996 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.196499109 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.239372015 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.380036116 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.380250931 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:03.380347013 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.380570889 CET	49709	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:03.380594015 CET	443	49709	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:04.821094036 CET	49710	445	192.168.2.6	126.217.0.72
Jan 15, 2025 17:13:04.826229095 CET	445	49710	126.217.0.72	192.168.2.6
Jan 15, 2025 17:13:04.826303959 CET	49710	445	192.168.2.6	126.217.0.72
Jan 15, 2025 17:13:04.826344967 CET	49710	445	192.168.2.6	126.217.0.72
Jan 15, 2025 17:13:04.826560020 CET	49711	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.831279993 CET	445	49710	126.217.0.72	192.168.2.6
Jan 15, 2025 17:13:04.831340075 CET	49710	445	192.168.2.6	126.217.0.72
Jan 15, 2025 17:13:04.831397057 CET	445	49711	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:04.831461906 CET	49711	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.831496954 CET	49711	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.836764097 CET	445	49711	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:04.836815119 CET	49711	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.839880943 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.844880104 CET	445	49713	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:04.844949961 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.845031023 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:04.849813938 CET	445	49713	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:05.693804979 CET	49673	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:05.694008112 CET	49674	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:06.006491899 CET	49672	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:06.273981094 CET	49731	445	192.168.2.6	24.145.43.215
Jan 15, 2025 17:13:06.279834986 CET	445	49731	24.145.43.215	192.168.2.6
Jan 15, 2025 17:13:06.279926062 CET	49731	445	192.168.2.6	24.145.43.215
Jan 15, 2025 17:13:06.279969931 CET	49731	445	192.168.2.6	24.145.43.215
Jan 15, 2025 17:13:06.280289888 CET	49732	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.285487890 CET	445	49732	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:06.285521030 CET	445	49731	24.145.43.215	192.168.2.6
Jan 15, 2025 17:13:06.285566092 CET	49732	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.285592079 CET	49731	445	192.168.2.6	24.145.43.215
Jan 15, 2025 17:13:06.285608053 CET	49732	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.286808968 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.290915966 CET	445	49732	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:06.290983915 CET	49732	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.291723967 CET	445	49733	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:06.291785002 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.291830063 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:06.297785044 CET	445	49733	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:06.743654013 CET	445	49713	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:06.743748903 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:06.743875027 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:06.743875027 CET	49713	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:06.748754978 CET	445	49713	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:06.748785973 CET	445	49713	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:07.730767012 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:07.730845928 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:08.288877010 CET	49768	445	192.168.2.6	32.209.198.19
Jan 15, 2025 17:13:08.293668985 CET	445	49768	32.209.198.19	192.168.2.6
Jan 15, 2025 17:13:08.293751955 CET	49768	445	192.168.2.6	32.209.198.19
Jan 15, 2025 17:13:08.293780088 CET	49768	445	192.168.2.6	32.209.198.19
Jan 15, 2025 17:13:08.293935061 CET	49769	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.298680067 CET	445	49768	32.209.198.19	192.168.2.6
Jan 15, 2025 17:13:08.298698902 CET	445	49769	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:08.298738956 CET	49768	445	192.168.2.6	32.209.198.19
Jan 15, 2025 17:13:08.298780918 CET	49769	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.298861980 CET	49769	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.299933910 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.303699970 CET	445	49769	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:08.303750038 CET	49769	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.304702997 CET	445	49770	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:08.304770947 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.304816008 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:08.309572935 CET	445	49770	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:09.756866932 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:09.761744976 CET	445	49792	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:09.761820078 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:09.761894941 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:09.766746998 CET	445	49792	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:10.339744091 CET	49803	445	192.168.2.6	64.71.233.8
Jan 15, 2025 17:13:10.344603062 CET	445	49803	64.71.233.8	192.168.2.6
Jan 15, 2025 17:13:10.344686031 CET	49803	445	192.168.2.6	64.71.233.8
Jan 15, 2025 17:13:10.344854116 CET	49803	445	192.168.2.6	64.71.233.8
Jan 15, 2025 17:13:10.345037937 CET	49804	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.349690914 CET	445	49803	64.71.233.8	192.168.2.6
Jan 15, 2025 17:13:10.349780083 CET	49803	445	192.168.2.6	64.71.233.8
Jan 15, 2025 17:13:10.349946976 CET	445	49804	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:10.350014925 CET	49804	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.350123882 CET	49804	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.353636026 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.354041100 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:10.354082108 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:10.354140043 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:10.354655027 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:10.354669094 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:10.354990005 CET	445	49804	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:10.355042934 CET	49804	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.358479023 CET	445	49805	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:10.358546019 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.358591080 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:10.363528967 CET	445	49805	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:11.149668932 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.149749994 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.151385069 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.151396036 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.151660919 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.153393030 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.153464079 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.153469086 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.153597116 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.199348927 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.328634977 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.328763962 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.328852892 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.329060078 CET	49806	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:11.329077005 CET	443	49806	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:11.628655910 CET	445	49792	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:11.628807068 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:11.628807068 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:11.628865957 CET	49792	445	192.168.2.6	126.217.0.1
Jan 15, 2025 17:13:11.633801937 CET	445	49792	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:11.633833885 CET	445	49792	126.217.0.1	192.168.2.6
Jan 15, 2025 17:13:11.694835901 CET	49831	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.700035095 CET	445	49831	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:11.700205088 CET	49831	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.700247049 CET	49831	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.701317072 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.705513000 CET	445	49831	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:11.705576897 CET	49831	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.706264019 CET	445	49832	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:11.706336975 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.706387997 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:11.711213112 CET	445	49832	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:12.351366997 CET	49844	445	192.168.2.6	153.9.75.60
Jan 15, 2025 17:13:12.356403112 CET	445	49844	153.9.75.60	192.168.2.6
Jan 15, 2025 17:13:12.356508017 CET	49844	445	192.168.2.6	153.9.75.60
Jan 15, 2025 17:13:12.356542110 CET	49844	445	192.168.2.6	153.9.75.60
Jan 15, 2025 17:13:12.356730938 CET	49845	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.361556053 CET	445	49845	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:12.361632109 CET	49845	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.361670017 CET	49845	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.361700058 CET	445	49844	153.9.75.60	192.168.2.6
Jan 15, 2025 17:13:12.361754894 CET	49844	445	192.168.2.6	153.9.75.60
Jan 15, 2025 17:13:12.362591982 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.366647959 CET	445	49845	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:12.367465973 CET	445	49846	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:12.367532969 CET	49845	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.367561102 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.367630005 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:12.372380018 CET	445	49846	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:13.580918074 CET	445	49832	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:13.580997944 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:13.581058025 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:13.581104994 CET	49832	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:13.585810900 CET	445	49832	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:13.585843086 CET	445	49832	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:13.834203005 CET	445	49846	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:13.834408045 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:13.834408045 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:13.834408045 CET	49846	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:13.839442968 CET	445	49846	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:13.839476109 CET	445	49846	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:14.367086887 CET	49879	445	192.168.2.6	176.57.93.132
Jan 15, 2025 17:13:14.372026920 CET	445	49879	176.57.93.132	192.168.2.6
Jan 15, 2025 17:13:14.372126102 CET	49879	445	192.168.2.6	176.57.93.132
Jan 15, 2025 17:13:14.372164965 CET	49879	445	192.168.2.6	176.57.93.132
Jan 15, 2025 17:13:14.372350931 CET	49880	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.377161980 CET	445	49880	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:14.377233982 CET	49880	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.377264977 CET	49880	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.378317118 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.379553080 CET	445	49879	176.57.93.132	192.168.2.6
Jan 15, 2025 17:13:14.383235931 CET	445	49881	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:14.383327961 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.383373022 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.383573055 CET	445	49880	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:14.384371042 CET	445	49879	176.57.93.132	192.168.2.6
Jan 15, 2025 17:13:14.384445906 CET	49879	445	192.168.2.6	176.57.93.132
Jan 15, 2025 17:13:14.384867907 CET	445	49880	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:14.384924889 CET	49880	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:14.388221979 CET	445	49881	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:16.381767035 CET	49919	445	192.168.2.6	202.166.106.94
Jan 15, 2025 17:13:16.388134003 CET	445	49919	202.166.106.94	192.168.2.6
Jan 15, 2025 17:13:16.388268948 CET	49919	445	192.168.2.6	202.166.106.94
Jan 15, 2025 17:13:16.388268948 CET	49919	445	192.168.2.6	202.166.106.94
Jan 15, 2025 17:13:16.388392925 CET	49920	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.394742966 CET	445	49919	202.166.106.94	192.168.2.6
Jan 15, 2025 17:13:16.394753933 CET	445	49920	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:16.394826889 CET	49920	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.394876957 CET	49919	445	192.168.2.6	202.166.106.94
Jan 15, 2025 17:13:16.394927025 CET	49920	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.395142078 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.401482105 CET	445	49920	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:16.401493073 CET	445	49921	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:16.401540995 CET	49920	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.401690006 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.401690006 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:16.408173084 CET	445	49921	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:16.584950924 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:16.589757919 CET	445	49925	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:16.589833975 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:16.589951038 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:16.594763041 CET	445	49925	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:16.850656033 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:16.856889963 CET	445	49932	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:16.856985092 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:16.860258102 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:16.866756916 CET	445	49932	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:17.488599062 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:17.488599062 CET	49706	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:17.489018917 CET	49943	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:17.489072084 CET	443	49943	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:17.489152908 CET	49943	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:17.493511915 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:17.493549109 CET	443	49706	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:17.493890047 CET	49943	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:17.493928909 CET	443	49943	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:18.109764099 CET	443	49943	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:18.109841108 CET	49943	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:18.339289904 CET	445	49932	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:18.339363098 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:18.339411020 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:18.339468002 CET	49932	445	192.168.2.6	153.9.75.1
Jan 15, 2025 17:13:18.344279051 CET	445	49932	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:18.344295979 CET	445	49932	153.9.75.1	192.168.2.6
Jan 15, 2025 17:13:18.397341013 CET	49962	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.397567987 CET	49963	445	192.168.2.6	158.219.90.184
Jan 15, 2025 17:13:18.403439045 CET	445	49962	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:18.403471947 CET	445	49963	158.219.90.184	192.168.2.6
Jan 15, 2025 17:13:18.403516054 CET	49962	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.403547049 CET	49963	445	192.168.2.6	158.219.90.184
Jan 15, 2025 17:13:18.403552055 CET	49962	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.403573990 CET	49963	445	192.168.2.6	158.219.90.184
Jan 15, 2025 17:13:18.403704882 CET	49964	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.403955936 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.408533096 CET	445	49964	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:18.408591032 CET	49964	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.408608913 CET	49964	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.408677101 CET	445	49962	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:18.408737898 CET	49962	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.408791065 CET	445	49963	158.219.90.184	192.168.2.6
Jan 15, 2025 17:13:18.408839941 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.408850908 CET	49963	445	192.168.2.6	158.219.90.184
Jan 15, 2025 17:13:18.408858061 CET	445	49965	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:18.408967972 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.409001112 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:18.413654089 CET	445	49964	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:18.413667917 CET	445	49966	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:18.413710117 CET	49964	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.413750887 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.413778067 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:18.413779020 CET	445	49965	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:18.418528080 CET	445	49966	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:18.491380930 CET	445	49925	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:18.491460085 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:18.491509914 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:18.491581917 CET	49925	445	192.168.2.6	126.217.0.2
Jan 15, 2025 17:13:18.496412039 CET	445	49925	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:18.496443033 CET	445	49925	126.217.0.2	192.168.2.6
Jan 15, 2025 17:13:18.553958893 CET	49970	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.558855057 CET	445	49970	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:18.558932066 CET	49970	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.559181929 CET	49970	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.559427023 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.564016104 CET	445	49970	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:18.564105034 CET	49970	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.564232111 CET	445	49971	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:18.564387083 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.564445972 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:18.569235086 CET	445	49971	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:19.896214008 CET	445	49965	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:19.896281958 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:19.896334887 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:19.896347046 CET	49965	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:19.901218891 CET	445	49965	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:19.901249886 CET	445	49965	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:20.413238049 CET	50004	445	192.168.2.6	166.43.168.52
Jan 15, 2025 17:13:20.418334961 CET	445	50004	166.43.168.52	192.168.2.6
Jan 15, 2025 17:13:20.418422937 CET	50004	445	192.168.2.6	166.43.168.52
Jan 15, 2025 17:13:20.418483019 CET	50004	445	192.168.2.6	166.43.168.52
Jan 15, 2025 17:13:20.418620110 CET	50005	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.423687935 CET	445	50005	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:20.423722029 CET	445	50004	166.43.168.52	192.168.2.6
Jan 15, 2025 17:13:20.423753023 CET	50005	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.423784018 CET	50004	445	192.168.2.6	166.43.168.52
Jan 15, 2025 17:13:20.423852921 CET	50005	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.424127102 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.428940058 CET	445	50005	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:20.429011106 CET	50005	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.429044962 CET	445	50006	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:20.429121017 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.429157972 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:20.434262991 CET	445	50006	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:20.441262960 CET	445	49971	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:20.441323996 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:20.441364050 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:20.441391945 CET	49971	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:20.446180105 CET	445	49971	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:20.446248055 CET	445	49971	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:22.429709911 CET	50041	445	192.168.2.6	128.171.224.244
Jan 15, 2025 17:13:22.434930086 CET	445	50041	128.171.224.244	192.168.2.6
Jan 15, 2025 17:13:22.436580896 CET	50041	445	192.168.2.6	128.171.224.244
Jan 15, 2025 17:13:22.436580896 CET	50041	445	192.168.2.6	128.171.224.244
Jan 15, 2025 17:13:22.436655998 CET	50042	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.441693068 CET	445	50041	128.171.224.244	192.168.2.6
Jan 15, 2025 17:13:22.441728115 CET	445	50042	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:22.441916943 CET	50041	445	192.168.2.6	128.171.224.244
Jan 15, 2025 17:13:22.441940069 CET	50042	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.441941023 CET	50042	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.442166090 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.447124958 CET	445	50043	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:22.447146893 CET	445	50042	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:22.447218895 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.447283030 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.447355986 CET	50042	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:22.452348948 CET	445	50043	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:22.638716936 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:22.638803005 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:22.638925076 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:22.639520884 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:22.639605045 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:22.897201061 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:22.903199911 CET	445	50053	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:22.903320074 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:22.903476000 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:22.908997059 CET	445	50053	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:23.444000959 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:23.448990107 CET	445	50064	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:23.449095011 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:23.449163914 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:23.453161001 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.453253984 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.453996897 CET	445	50064	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:23.457727909 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.457747936 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.458574057 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.460297108 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.460341930 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.460359097 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.460488081 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.507332087 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.661278963 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.661761045 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:23.661983013 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.662632942 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.662632942 CET	50048	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:23.662700891 CET	443	50048	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:24.368596077 CET	445	50053	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:24.372795105 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:24.372795105 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:24.372899055 CET	50053	445	192.168.2.6	153.9.75.2
Jan 15, 2025 17:13:24.377667904 CET	445	50053	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:24.377695084 CET	445	50053	153.9.75.2	192.168.2.6
Jan 15, 2025 17:13:24.428493023 CET	50081	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.433384895 CET	445	50081	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:24.433494091 CET	50081	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.433536053 CET	50081	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.433796883 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.438596964 CET	445	50081	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:24.438611984 CET	445	50082	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:24.438663960 CET	50081	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.438708067 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.438708067 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:24.443533897 CET	445	50082	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:24.444236040 CET	50083	445	192.168.2.6	67.15.60.148
Jan 15, 2025 17:13:24.449070930 CET	445	50083	67.15.60.148	192.168.2.6
Jan 15, 2025 17:13:24.449136972 CET	50083	445	192.168.2.6	67.15.60.148
Jan 15, 2025 17:13:24.449167967 CET	50083	445	192.168.2.6	67.15.60.148
Jan 15, 2025 17:13:24.449358940 CET	50085	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.454071045 CET	445	50083	67.15.60.148	192.168.2.6
Jan 15, 2025 17:13:24.454098940 CET	445	50085	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:24.454186916 CET	50083	445	192.168.2.6	67.15.60.148
Jan 15, 2025 17:13:24.454189062 CET	50085	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.454363108 CET	50085	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.454456091 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.459150076 CET	445	50085	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:24.459331036 CET	50085	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.459356070 CET	445	50086	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:24.459506989 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.459544897 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:24.464282036 CET	445	50086	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:25.311777115 CET	445	50064	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:25.311850071 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:25.311935902 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:25.311937094 CET	50064	445	192.168.2.6	126.217.0.3
Jan 15, 2025 17:13:25.316729069 CET	445	50064	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:25.316744089 CET	445	50064	126.217.0.3	192.168.2.6
Jan 15, 2025 17:13:25.365878105 CET	50103	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.370662928 CET	445	50103	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:25.370724916 CET	50103	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.370769024 CET	50103	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.371010065 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.375545025 CET	445	50103	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:25.375914097 CET	445	50103	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:25.375922918 CET	445	50104	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:25.375957966 CET	50103	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.376005888 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.376046896 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:25.380779028 CET	445	50104	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:25.901046038 CET	445	50082	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:25.901108027 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:25.901129961 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:25.901170015 CET	50082	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:25.906263113 CET	445	50082	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:25.906275988 CET	445	50082	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:26.466995001 CET	50123	445	192.168.2.6	35.167.167.165
Jan 15, 2025 17:13:26.471884012 CET	445	50123	35.167.167.165	192.168.2.6
Jan 15, 2025 17:13:26.471963882 CET	50123	445	192.168.2.6	35.167.167.165
Jan 15, 2025 17:13:26.471990108 CET	50123	445	192.168.2.6	35.167.167.165
Jan 15, 2025 17:13:26.472239017 CET	50124	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.476896048 CET	445	50123	35.167.167.165	192.168.2.6
Jan 15, 2025 17:13:26.476948023 CET	50123	445	192.168.2.6	35.167.167.165
Jan 15, 2025 17:13:26.477044106 CET	445	50124	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:26.477109909 CET	50124	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.477178097 CET	50124	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.477399111 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.482134104 CET	445	50124	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:26.482191086 CET	50124	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.482259989 CET	445	50125	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:26.482325077 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.482367992 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:26.487154961 CET	445	50125	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:27.255193949 CET	445	50104	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:27.255400896 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:27.255400896 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:27.255400896 CET	50104	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:27.260288000 CET	445	50104	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:27.260315895 CET	445	50104	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:27.685228109 CET	445	49733	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:27.685415983 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:27.685415983 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:27.685524940 CET	49733	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:27.690269947 CET	445	49733	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:27.690325022 CET	445	49733	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:28.475682020 CET	50160	445	192.168.2.6	131.24.232.195
Jan 15, 2025 17:13:28.480561018 CET	445	50160	131.24.232.195	192.168.2.6
Jan 15, 2025 17:13:28.480654955 CET	50160	445	192.168.2.6	131.24.232.195
Jan 15, 2025 17:13:28.480673075 CET	50160	445	192.168.2.6	131.24.232.195
Jan 15, 2025 17:13:28.480822086 CET	50161	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.485718012 CET	445	50161	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:28.485749960 CET	445	50160	131.24.232.195	192.168.2.6
Jan 15, 2025 17:13:28.485789061 CET	50161	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.485815048 CET	50160	445	192.168.2.6	131.24.232.195
Jan 15, 2025 17:13:28.485933065 CET	50161	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.486212969 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.490988016 CET	445	50162	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:28.491054058 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.491065025 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.491527081 CET	445	50161	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:28.493536949 CET	445	50161	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:28.493601084 CET	50161	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:28.496536016 CET	445	50162	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:28.912867069 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:28.917767048 CET	445	50171	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:28.917871952 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:28.917953014 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:28.922718048 CET	445	50171	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:29.665909052 CET	445	49770	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:29.665987968 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:29.666068077 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:29.666102886 CET	49770	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:29.670900106 CET	445	49770	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:29.670908928 CET	445	49770	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:30.256688118 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:30.261657000 CET	445	50177	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:30.261742115 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:30.261831045 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:30.267096996 CET	445	50177	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:30.379968882 CET	445	50171	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:30.380063057 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:30.380155087 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:30.380155087 CET	50171	445	192.168.2.6	153.9.75.3
Jan 15, 2025 17:13:30.384993076 CET	445	50171	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:30.385003090 CET	445	50171	153.9.75.3	192.168.2.6
Jan 15, 2025 17:13:30.444168091 CET	50181	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.449033976 CET	445	50181	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:30.449115992 CET	50181	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.449126959 CET	50181	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.449486017 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.454372883 CET	445	50181	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:30.454385042 CET	445	50182	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:30.454441071 CET	50181	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.454479933 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.454549074 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:30.459364891 CET	445	50182	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:30.491166115 CET	50183	445	192.168.2.6	107.234.183.19
Jan 15, 2025 17:13:30.496452093 CET	445	50183	107.234.183.19	192.168.2.6
Jan 15, 2025 17:13:30.496515989 CET	50183	445	192.168.2.6	107.234.183.19
Jan 15, 2025 17:13:30.496617079 CET	50183	445	192.168.2.6	107.234.183.19
Jan 15, 2025 17:13:30.496932983 CET	50184	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.501785994 CET	445	50183	107.234.183.19	192.168.2.6
Jan 15, 2025 17:13:30.501796007 CET	445	50184	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:30.501862049 CET	50183	445	192.168.2.6	107.234.183.19
Jan 15, 2025 17:13:30.501921892 CET	50184	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.501965046 CET	50184	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.502114058 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.507165909 CET	445	50185	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:30.507174015 CET	445	50184	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:30.507241964 CET	50184	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.507245064 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.507291079 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:30.512852907 CET	445	50185	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:30.694170952 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:30.699218988 CET	445	50188	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:30.699321985 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:30.699342012 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:30.704219103 CET	445	50188	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:31.743942976 CET	445	49805	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:31.744019985 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:31.744110107 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:31.744132996 CET	49805	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:31.748919010 CET	445	49805	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:31.748939991 CET	445	49805	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:31.913640022 CET	445	50182	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:31.913714886 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:31.913764954 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:31.913788080 CET	50182	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:31.918576002 CET	445	50182	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:31.918590069 CET	445	50182	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:32.130542994 CET	445	50177	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:32.130625010 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:32.130712032 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:32.130712032 CET	50177	445	192.168.2.6	126.217.0.4
Jan 15, 2025 17:13:32.137034893 CET	445	50177	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:32.137065887 CET	445	50177	126.217.0.4	192.168.2.6
Jan 15, 2025 17:13:32.194174051 CET	50199	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.199063063 CET	445	50199	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:32.199134111 CET	50199	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.199151993 CET	50199	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.199412107 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.204247952 CET	445	50200	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:32.204301119 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.204329014 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.205382109 CET	445	50199	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:32.205431938 CET	50199	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:32.209134102 CET	445	50200	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:32.508137941 CET	50201	445	192.168.2.6	146.244.82.172
Jan 15, 2025 17:13:32.513113022 CET	445	50201	146.244.82.172	192.168.2.6
Jan 15, 2025 17:13:32.513196945 CET	50201	445	192.168.2.6	146.244.82.172
Jan 15, 2025 17:13:32.513227940 CET	50201	445	192.168.2.6	146.244.82.172
Jan 15, 2025 17:13:32.513365984 CET	50203	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.518171072 CET	445	50203	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:32.518260002 CET	50203	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.518421888 CET	50203	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.518783092 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.519562960 CET	445	50201	146.244.82.172	192.168.2.6
Jan 15, 2025 17:13:32.520019054 CET	445	50201	146.244.82.172	192.168.2.6
Jan 15, 2025 17:13:32.520078897 CET	50201	445	192.168.2.6	146.244.82.172
Jan 15, 2025 17:13:32.523415089 CET	445	50203	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:32.523475885 CET	50203	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.523628950 CET	445	50204	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:32.523719072 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.523719072 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:32.528553009 CET	445	50204	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:32.678472042 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:32.683336020 CET	445	50207	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:32.683424950 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:32.683511972 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:32.688251972 CET	445	50207	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:34.089257956 CET	445	50200	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:34.089340925 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:34.089396000 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:34.089396000 CET	50200	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:34.094243050 CET	445	50200	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:34.094250917 CET	445	50200	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:34.522900105 CET	50220	445	192.168.2.6	86.67.1.18
Jan 15, 2025 17:13:34.527767897 CET	445	50220	86.67.1.18	192.168.2.6
Jan 15, 2025 17:13:34.527977943 CET	50221	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.527975082 CET	50220	445	192.168.2.6	86.67.1.18
Jan 15, 2025 17:13:34.527975082 CET	50220	445	192.168.2.6	86.67.1.18
Jan 15, 2025 17:13:34.532795906 CET	445	50221	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:34.532882929 CET	50221	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.532907009 CET	50221	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.532977104 CET	445	50220	86.67.1.18	192.168.2.6
Jan 15, 2025 17:13:34.533212900 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.533279896 CET	50220	445	192.168.2.6	86.67.1.18
Jan 15, 2025 17:13:34.537962914 CET	445	50221	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:34.538006067 CET	445	50222	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:34.538017035 CET	50221	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.538095951 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.538095951 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:34.542923927 CET	445	50222	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:34.756835938 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:34.761878014 CET	445	50223	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:34.762110949 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:34.762213945 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:34.767079115 CET	445	50223	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:34.928375006 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:34.933226109 CET	445	50226	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:34.933475971 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:34.933475971 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:34.938335896 CET	445	50226	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:35.758567095 CET	445	49881	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:35.758779049 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:35.758779049 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:35.758877993 CET	49881	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:35.763746977 CET	445	49881	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:35.763761997 CET	445	49881	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:36.217322111 CET	445	50222	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:36.217578888 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:36.217580080 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:36.217638016 CET	50222	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:36.222510099 CET	445	50222	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:36.222538948 CET	445	50222	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:36.397653103 CET	445	50226	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:36.397751093 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:36.399643898 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:36.399719954 CET	50226	445	192.168.2.6	153.9.75.4
Jan 15, 2025 17:13:36.404643059 CET	445	50226	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:36.404674053 CET	445	50226	153.9.75.4	192.168.2.6
Jan 15, 2025 17:13:36.459873915 CET	50237	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.464854002 CET	445	50237	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:36.464946985 CET	50237	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.464986086 CET	50237	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.465332985 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.469913006 CET	445	50237	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:36.469988108 CET	50237	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.470186949 CET	445	50238	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:36.470244884 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.470274925 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:36.475234032 CET	445	50238	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:36.538070917 CET	50240	445	192.168.2.6	217.163.243.7
Jan 15, 2025 17:13:36.542872906 CET	445	50240	217.163.243.7	192.168.2.6
Jan 15, 2025 17:13:36.542960882 CET	50240	445	192.168.2.6	217.163.243.7
Jan 15, 2025 17:13:36.543040037 CET	50240	445	192.168.2.6	217.163.243.7
Jan 15, 2025 17:13:36.543239117 CET	50241	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.547919035 CET	445	50240	217.163.243.7	192.168.2.6
Jan 15, 2025 17:13:36.547974110 CET	445	50241	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:36.547986984 CET	50240	445	192.168.2.6	217.163.243.7
Jan 15, 2025 17:13:36.548034906 CET	50241	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.548079967 CET	50241	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.548345089 CET	50242	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.553092003 CET	445	50242	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:36.553105116 CET	445	50241	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:36.553162098 CET	50241	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.553181887 CET	50242	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:36.557961941 CET	445	50242	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:37.100377083 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:37.105310917 CET	445	50245	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:37.105407953 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:37.105453014 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:37.110311985 CET	445	50245	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:37.265408993 CET	443	49943	173.222.162.64	192.168.2.6
Jan 15, 2025 17:13:37.265486956 CET	49943	443	192.168.2.6	173.222.162.64
Jan 15, 2025 17:13:37.775329113 CET	445	49921	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:37.775420904 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:37.775511026 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:37.775511026 CET	49921	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:37.780380011 CET	445	49921	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:37.780395031 CET	445	49921	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:37.944050074 CET	445	50238	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:37.944148064 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:37.944217920 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:37.944217920 CET	50238	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:37.949037075 CET	445	50238	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:37.949167967 CET	445	50238	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:38.553668976 CET	50256	445	192.168.2.6	183.177.251.218
Jan 15, 2025 17:13:38.558468103 CET	445	50256	183.177.251.218	192.168.2.6
Jan 15, 2025 17:13:38.558537960 CET	50256	445	192.168.2.6	183.177.251.218
Jan 15, 2025 17:13:38.558564901 CET	50256	445	192.168.2.6	183.177.251.218
Jan 15, 2025 17:13:38.558646917 CET	50257	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.563375950 CET	445	50257	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:38.563427925 CET	50257	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.563451052 CET	50257	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.563827038 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.563833952 CET	445	50256	183.177.251.218	192.168.2.6
Jan 15, 2025 17:13:38.563888073 CET	50256	445	192.168.2.6	183.177.251.218
Jan 15, 2025 17:13:38.568432093 CET	445	50257	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:38.568479061 CET	50257	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.568612099 CET	445	50258	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:38.568666935 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.568691969 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:38.573539972 CET	445	50258	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:38.772291899 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:38.777210951 CET	445	50261	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:38.777287960 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:38.777342081 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:13:38.782062054 CET	445	50261	176.57.93.1	192.168.2.6
Jan 15, 2025 17:13:38.975876093 CET	445	50245	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:38.975951910 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:38.975991964 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:38.976013899 CET	50245	445	192.168.2.6	126.217.0.5
Jan 15, 2025 17:13:38.980756998 CET	445	50245	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:38.980771065 CET	445	50245	126.217.0.5	192.168.2.6
Jan 15, 2025 17:13:39.037863016 CET	50263	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.042722940 CET	445	50263	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:39.042793989 CET	50263	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.042836905 CET	50263	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.043102980 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.047769070 CET	445	50263	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:39.047816992 CET	50263	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.047934055 CET	445	50264	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:39.048099995 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.048136950 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:39.052879095 CET	445	50264	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:39.225413084 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:39.230302095 CET	445	50267	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:39.230384111 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:39.230423927 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:39.235203981 CET	445	50267	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:39.790224075 CET	445	49966	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:39.790291071 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:39.790369987 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:39.790369987 CET	49966	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:39.797535896 CET	445	49966	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:39.797549963 CET	445	49966	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:40.429258108 CET	50275	445	192.168.2.6	187.139.204.103
Jan 15, 2025 17:13:40.434016943 CET	445	50275	187.139.204.103	192.168.2.6
Jan 15, 2025 17:13:40.434102058 CET	50275	445	192.168.2.6	187.139.204.103
Jan 15, 2025 17:13:40.434253931 CET	50275	445	192.168.2.6	187.139.204.103
Jan 15, 2025 17:13:40.434580088 CET	50276	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.439445972 CET	445	50275	187.139.204.103	192.168.2.6
Jan 15, 2025 17:13:40.439456940 CET	445	50276	187.139.204.1	192.168.2.6
Jan 15, 2025 17:13:40.439506054 CET	50275	445	192.168.2.6	187.139.204.103
Jan 15, 2025 17:13:40.439588070 CET	50276	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.439671040 CET	50276	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.439855099 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.444618940 CET	445	50276	187.139.204.1	192.168.2.6
Jan 15, 2025 17:13:40.444629908 CET	445	50277	187.139.204.1	192.168.2.6
Jan 15, 2025 17:13:40.444694042 CET	50276	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.444710970 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.444724083 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:13:40.449500084 CET	445	50277	187.139.204.1	192.168.2.6
Jan 15, 2025 17:13:40.787827969 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:40.792642117 CET	445	50280	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:40.792715073 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:40.792737961 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:13:40.797502995 CET	445	50280	202.166.106.1	192.168.2.6
Jan 15, 2025 17:13:40.912431002 CET	445	50264	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:40.912611008 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:40.912611008 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:40.912611008 CET	50264	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:40.917509079 CET	445	50264	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:40.917519093 CET	445	50264	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:40.959794044 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:40.964634895 CET	445	50282	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:40.964705944 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:40.964762926 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:40.969708920 CET	445	50282	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:40.983594894 CET	445	50267	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:40.983675003 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:40.983808994 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:40.983808994 CET	50267	445	192.168.2.6	86.67.1.1
Jan 15, 2025 17:13:40.988627911 CET	445	50267	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:40.988661051 CET	445	50267	86.67.1.1	192.168.2.6
Jan 15, 2025 17:13:41.037833929 CET	50283	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.042754889 CET	445	50283	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:41.042876005 CET	50283	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.042969942 CET	50283	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.043302059 CET	50284	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.048274994 CET	445	50284	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:41.048285007 CET	445	50283	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:41.048507929 CET	50283	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.048583031 CET	50284	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:41.053548098 CET	445	50284	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:41.702022076 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:41.702115059 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:41.702235937 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:41.702817917 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:41.702855110 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:41.804670095 CET	445	50006	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:41.804833889 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:41.804833889 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:41.804833889 CET	50006	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:41.809690952 CET	445	50006	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:41.809700012 CET	445	50006	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:42.178663015 CET	50294	445	192.168.2.6	5.166.179.137
Jan 15, 2025 17:13:42.183446884 CET	445	50294	5.166.179.137	192.168.2.6
Jan 15, 2025 17:13:42.183536053 CET	50294	445	192.168.2.6	5.166.179.137
Jan 15, 2025 17:13:42.183588982 CET	50294	445	192.168.2.6	5.166.179.137
Jan 15, 2025 17:13:42.183816910 CET	50295	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.188467979 CET	445	50294	5.166.179.137	192.168.2.6
Jan 15, 2025 17:13:42.188529015 CET	50294	445	192.168.2.6	5.166.179.137
Jan 15, 2025 17:13:42.188607931 CET	445	50295	5.166.179.1	192.168.2.6
Jan 15, 2025 17:13:42.188678980 CET	50295	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.188718081 CET	50295	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.188955069 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.193622112 CET	445	50295	5.166.179.1	192.168.2.6
Jan 15, 2025 17:13:42.193681002 CET	50295	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.193774939 CET	445	50296	5.166.179.1	192.168.2.6
Jan 15, 2025 17:13:42.193885088 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.193885088 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:13:42.198674917 CET	445	50296	5.166.179.1	192.168.2.6
Jan 15, 2025 17:13:42.462109089 CET	445	50282	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:42.462547064 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:42.462594032 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:42.462630987 CET	50282	445	192.168.2.6	153.9.75.5
Jan 15, 2025 17:13:42.467403889 CET	445	50282	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:42.467490911 CET	445	50282	153.9.75.5	192.168.2.6
Jan 15, 2025 17:13:42.493314981 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.493427038 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.495306969 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.495348930 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.495697021 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.497812986 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.497931004 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.497946024 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.498131990 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.522402048 CET	50299	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.527169943 CET	445	50299	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:42.527257919 CET	50299	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.527327061 CET	50299	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.527693987 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.532475948 CET	445	50300	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:42.532552004 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.532577991 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.532711983 CET	445	50299	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:42.532764912 CET	50299	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:42.537311077 CET	445	50300	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:42.543340921 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.690485954 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.692679882 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.692679882 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.692747116 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.692986012 CET	443	50290	40.113.103.199	192.168.2.6
Jan 15, 2025 17:13:42.693069935 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.693069935 CET	50290	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:13:42.696729898 CET	445	50284	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:42.696980000 CET	50284	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:42.696980000 CET	50284	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:42.696980953 CET	50284	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:42.701893091 CET	445	50284	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:42.701900959 CET	445	50284	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:42.803425074 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:42.808213949 CET	445	50304	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:42.808274984 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:42.808350086 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:13:42.813083887 CET	445	50304	158.219.90.1	192.168.2.6
Jan 15, 2025 17:13:43.804908991 CET	445	50043	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:43.805116892 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:43.805147886 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:43.805181980 CET	50043	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:43.819400072 CET	50311	445	192.168.2.6	178.254.121.92
Jan 15, 2025 17:13:43.928551912 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:44.003324032 CET	445	50043	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:44.003335953 CET	445	50043	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:44.003365993 CET	445	50311	178.254.121.92	192.168.2.6
Jan 15, 2025 17:13:44.003376007 CET	445	50312	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:44.003513098 CET	50311	445	192.168.2.6	178.254.121.92
Jan 15, 2025 17:13:44.003671885 CET	50311	445	192.168.2.6	178.254.121.92
Jan 15, 2025 17:13:44.003793955 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:44.003894091 CET	50313	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.004108906 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:44.005091906 CET	445	50300	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:44.005527973 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:44.005547047 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:44.005599022 CET	50300	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:44.008738995 CET	445	50313	178.254.121.1	192.168.2.6
Jan 15, 2025 17:13:44.008964062 CET	445	50312	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:44.009051085 CET	50313	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.009092093 CET	445	50311	178.254.121.92	192.168.2.6
Jan 15, 2025 17:13:44.009107113 CET	50313	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.009155035 CET	50311	445	192.168.2.6	178.254.121.92
Jan 15, 2025 17:13:44.010341883 CET	445	50300	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:44.010400057 CET	445	50300	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:44.013959885 CET	445	50313	178.254.121.1	192.168.2.6
Jan 15, 2025 17:13:44.017276049 CET	50313	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.020843983 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.025840998 CET	445	50315	178.254.121.1	192.168.2.6
Jan 15, 2025 17:13:44.029133081 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.029198885 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:13:44.033931971 CET	445	50315	178.254.121.1	192.168.2.6
Jan 15, 2025 17:13:44.819253922 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:44.824187040 CET	445	50321	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:44.824285984 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:44.824285984 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:13:44.829133987 CET	445	50321	166.43.168.1	192.168.2.6
Jan 15, 2025 17:13:45.350589991 CET	50325	445	192.168.2.6	167.139.11.44
Jan 15, 2025 17:13:45.355535984 CET	445	50325	167.139.11.44	192.168.2.6
Jan 15, 2025 17:13:45.355627060 CET	50325	445	192.168.2.6	167.139.11.44
Jan 15, 2025 17:13:45.355690002 CET	50325	445	192.168.2.6	167.139.11.44
Jan 15, 2025 17:13:45.356123924 CET	50326	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.360563040 CET	445	50325	167.139.11.44	192.168.2.6
Jan 15, 2025 17:13:45.360629082 CET	50325	445	192.168.2.6	167.139.11.44
Jan 15, 2025 17:13:45.360960960 CET	445	50326	167.139.11.1	192.168.2.6
Jan 15, 2025 17:13:45.361022949 CET	50326	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.361037970 CET	50326	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.361310005 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.366142035 CET	445	50327	167.139.11.1	192.168.2.6
Jan 15, 2025 17:13:45.366206884 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.366238117 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.366250038 CET	445	50326	167.139.11.1	192.168.2.6
Jan 15, 2025 17:13:45.366295099 CET	50326	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:13:45.371073961 CET	445	50327	167.139.11.1	192.168.2.6
Jan 15, 2025 17:13:45.710289001 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:45.715112925 CET	445	50330	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:45.715208054 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:45.715277910 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:45.720038891 CET	445	50330	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:45.837024927 CET	445	50086	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:45.837189913 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:45.837189913 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:45.837189913 CET	50086	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:45.842073917 CET	445	50086	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:45.842256069 CET	445	50086	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:45.895879984 CET	445	50312	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:45.896100998 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:45.896100998 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:45.896100998 CET	50312	445	192.168.2.6	126.217.0.6
Jan 15, 2025 17:13:45.900963068 CET	445	50312	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:45.900971889 CET	445	50312	126.217.0.6	192.168.2.6
Jan 15, 2025 17:13:45.959851027 CET	50332	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.964690924 CET	445	50332	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:45.964775085 CET	50332	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.964977980 CET	50332	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.965431929 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.969791889 CET	445	50332	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:45.969862938 CET	50332	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.970313072 CET	445	50333	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:45.970393896 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.970484018 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:45.975271940 CET	445	50333	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:46.773055077 CET	50339	445	192.168.2.6	215.114.213.132
Jan 15, 2025 17:13:46.778028011 CET	445	50339	215.114.213.132	192.168.2.6
Jan 15, 2025 17:13:46.778107882 CET	50339	445	192.168.2.6	215.114.213.132
Jan 15, 2025 17:13:46.778183937 CET	50339	445	192.168.2.6	215.114.213.132
Jan 15, 2025 17:13:46.778338909 CET	50340	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.783139944 CET	445	50339	215.114.213.132	192.168.2.6
Jan 15, 2025 17:13:46.783198118 CET	445	50340	215.114.213.1	192.168.2.6
Jan 15, 2025 17:13:46.783200979 CET	50339	445	192.168.2.6	215.114.213.132
Jan 15, 2025 17:13:46.783271074 CET	50340	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.783360004 CET	50340	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.783704996 CET	50341	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.788496017 CET	445	50340	215.114.213.1	192.168.2.6
Jan 15, 2025 17:13:46.788557053 CET	50340	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.788635969 CET	445	50341	215.114.213.1	192.168.2.6
Jan 15, 2025 17:13:46.788705111 CET	50341	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.788746119 CET	50341	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:13:46.793520927 CET	445	50341	215.114.213.1	192.168.2.6
Jan 15, 2025 17:13:46.819025993 CET	50342	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:46.823939085 CET	445	50342	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:46.824024916 CET	50342	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:46.824069977 CET	50342	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:13:46.828933954 CET	445	50342	128.171.224.1	192.168.2.6
Jan 15, 2025 17:13:47.006556988 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:47.012104988 CET	445	50346	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:47.012186050 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:47.012207031 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:47.017123938 CET	445	50346	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:47.382644892 CET	445	50330	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:47.382742882 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:47.382821083 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:47.382821083 CET	50330	445	192.168.2.6	86.67.1.2
Jan 15, 2025 17:13:47.387654066 CET	445	50330	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:47.387682915 CET	445	50330	86.67.1.2	192.168.2.6
Jan 15, 2025 17:13:47.444140911 CET	50348	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.449134111 CET	445	50348	86.67.1.3	192.168.2.6
Jan 15, 2025 17:13:47.449238062 CET	50348	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.449274063 CET	50348	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.449589968 CET	50349	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.454490900 CET	445	50348	86.67.1.3	192.168.2.6
Jan 15, 2025 17:13:47.454555988 CET	50348	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.454562902 CET	445	50349	86.67.1.3	192.168.2.6
Jan 15, 2025 17:13:47.454628944 CET	50349	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.454669952 CET	50349	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:13:47.459491014 CET	445	50349	86.67.1.3	192.168.2.6
Jan 15, 2025 17:13:47.863446951 CET	445	50333	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:47.863679886 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:47.863679886 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:47.863679886 CET	50333	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:47.868617058 CET	445	50333	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:47.868632078 CET	445	50333	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:47.902529001 CET	445	50125	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:47.902590990 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:47.902626991 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:47.902676105 CET	50125	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:47.907468081 CET	445	50125	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:47.907497883 CET	445	50125	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:48.100754023 CET	50355	445	192.168.2.6	199.103.224.83
Jan 15, 2025 17:13:48.105637074 CET	445	50355	199.103.224.83	192.168.2.6
Jan 15, 2025 17:13:48.105722904 CET	50355	445	192.168.2.6	199.103.224.83
Jan 15, 2025 17:13:48.105844975 CET	50355	445	192.168.2.6	199.103.224.83
Jan 15, 2025 17:13:48.106278896 CET	50356	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.110842943 CET	445	50355	199.103.224.83	192.168.2.6
Jan 15, 2025 17:13:48.110902071 CET	50355	445	192.168.2.6	199.103.224.83
Jan 15, 2025 17:13:48.111040115 CET	445	50356	199.103.224.1	192.168.2.6
Jan 15, 2025 17:13:48.111092091 CET	50356	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.111183882 CET	50356	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.111522913 CET	50357	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.116328955 CET	445	50357	199.103.224.1	192.168.2.6
Jan 15, 2025 17:13:48.116415024 CET	50357	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.116481066 CET	50357	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.116802931 CET	445	50356	199.103.224.1	192.168.2.6
Jan 15, 2025 17:13:48.116848946 CET	50356	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:13:48.121273041 CET	445	50357	199.103.224.1	192.168.2.6
Jan 15, 2025 17:13:48.460752964 CET	445	50346	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:48.460812092 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:48.460840940 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:48.460871935 CET	50346	445	192.168.2.6	153.9.75.6
Jan 15, 2025 17:13:48.465662956 CET	445	50346	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:48.465677977 CET	445	50346	153.9.75.6	192.168.2.6
Jan 15, 2025 17:13:48.522274017 CET	50360	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.527162075 CET	445	50360	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:48.527237892 CET	50360	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.527328014 CET	50360	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.527627945 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.532191992 CET	445	50360	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:48.532248974 CET	50360	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.532516003 CET	445	50361	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:48.532694101 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.532694101 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:48.537463903 CET	445	50361	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:48.850385904 CET	50363	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:48.855437040 CET	445	50363	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:48.855529070 CET	50363	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:48.855576038 CET	50363	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:13:48.860316992 CET	445	50363	67.15.60.1	192.168.2.6
Jan 15, 2025 17:13:49.351053953 CET	50364	445	192.168.2.6	72.24.241.54
Jan 15, 2025 17:13:49.355870962 CET	445	50364	72.24.241.54	192.168.2.6
Jan 15, 2025 17:13:49.355963945 CET	50364	445	192.168.2.6	72.24.241.54
Jan 15, 2025 17:13:49.356008053 CET	50364	445	192.168.2.6	72.24.241.54
Jan 15, 2025 17:13:49.356138945 CET	50365	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.360971928 CET	445	50365	72.24.241.1	192.168.2.6
Jan 15, 2025 17:13:49.360987902 CET	445	50364	72.24.241.54	192.168.2.6
Jan 15, 2025 17:13:49.361097097 CET	50365	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.361505032 CET	50364	445	192.168.2.6	72.24.241.54
Jan 15, 2025 17:13:49.361505032 CET	50365	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.361524105 CET	50366	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.366399050 CET	445	50365	72.24.241.1	192.168.2.6
Jan 15, 2025 17:13:49.366422892 CET	445	50366	72.24.241.1	192.168.2.6
Jan 15, 2025 17:13:49.366492987 CET	50365	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.366528034 CET	50366	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.366574049 CET	50366	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:13:49.371351957 CET	445	50366	72.24.241.1	192.168.2.6
Jan 15, 2025 17:13:49.851751089 CET	445	50162	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:49.851824999 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:49.851850986 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:49.851906061 CET	50162	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:49.856683969 CET	445	50162	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:49.856697083 CET	445	50162	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:49.989734888 CET	445	50361	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:49.989844084 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:49.989901066 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:49.989918947 CET	50361	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:49.994774103 CET	445	50361	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:49.994786978 CET	445	50361	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:50.507209063 CET	50367	445	192.168.2.6	44.163.244.22
Jan 15, 2025 17:13:50.512219906 CET	445	50367	44.163.244.22	192.168.2.6
Jan 15, 2025 17:13:50.512342930 CET	50367	445	192.168.2.6	44.163.244.22
Jan 15, 2025 17:13:50.512432098 CET	50367	445	192.168.2.6	44.163.244.22
Jan 15, 2025 17:13:50.512763023 CET	50368	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.517374992 CET	445	50367	44.163.244.22	192.168.2.6
Jan 15, 2025 17:13:50.517451048 CET	50367	445	192.168.2.6	44.163.244.22
Jan 15, 2025 17:13:50.517611980 CET	445	50368	44.163.244.1	192.168.2.6
Jan 15, 2025 17:13:50.517680883 CET	50368	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.517723083 CET	50368	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.517976999 CET	50369	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.522743940 CET	445	50368	44.163.244.1	192.168.2.6
Jan 15, 2025 17:13:50.522816896 CET	50368	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.522856951 CET	445	50369	44.163.244.1	192.168.2.6
Jan 15, 2025 17:13:50.522918940 CET	50369	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.522954941 CET	50369	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:13:50.527782917 CET	445	50369	44.163.244.1	192.168.2.6
Jan 15, 2025 17:13:50.866034985 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:50.870987892 CET	445	50370	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:50.871083021 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:50.871145964 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:50.876009941 CET	445	50370	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:50.913000107 CET	50371	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:50.917898893 CET	445	50371	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:50.917990923 CET	50371	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:50.918025970 CET	50371	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:13:50.922776937 CET	445	50371	35.167.167.1	192.168.2.6
Jan 15, 2025 17:13:51.585134983 CET	50372	445	192.168.2.6	191.42.119.111
Jan 15, 2025 17:13:51.589927912 CET	445	50372	191.42.119.111	192.168.2.6
Jan 15, 2025 17:13:51.590014935 CET	50372	445	192.168.2.6	191.42.119.111
Jan 15, 2025 17:13:51.590172052 CET	50372	445	192.168.2.6	191.42.119.111
Jan 15, 2025 17:13:51.590178967 CET	50373	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.595103979 CET	445	50373	191.42.119.1	192.168.2.6
Jan 15, 2025 17:13:51.595165014 CET	50373	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.595201969 CET	50373	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.595274925 CET	445	50372	191.42.119.111	192.168.2.6
Jan 15, 2025 17:13:51.595326900 CET	50372	445	192.168.2.6	191.42.119.111
Jan 15, 2025 17:13:51.595415115 CET	50374	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.600116968 CET	445	50373	191.42.119.1	192.168.2.6
Jan 15, 2025 17:13:51.600167036 CET	50373	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.600313902 CET	445	50374	191.42.119.1	192.168.2.6
Jan 15, 2025 17:13:51.600486040 CET	50374	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.600486994 CET	50374	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:13:51.605341911 CET	445	50374	191.42.119.1	192.168.2.6
Jan 15, 2025 17:13:51.886933088 CET	445	50185	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:51.887001038 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:51.887049913 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:51.887109041 CET	50185	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:51.891933918 CET	445	50185	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:51.891947985 CET	445	50185	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:52.086174965 CET	445	50188	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:52.086239100 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:52.086288929 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:52.086345911 CET	50188	445	192.168.2.6	24.145.43.1
Jan 15, 2025 17:13:52.091154099 CET	445	50188	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:52.091171026 CET	445	50188	24.145.43.1	192.168.2.6
Jan 15, 2025 17:13:52.147567034 CET	50375	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.152380943 CET	445	50375	24.145.43.2	192.168.2.6
Jan 15, 2025 17:13:52.152568102 CET	50375	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.152568102 CET	50375	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.152884007 CET	50376	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.157691002 CET	445	50375	24.145.43.2	192.168.2.6
Jan 15, 2025 17:13:52.157754898 CET	445	50376	24.145.43.2	192.168.2.6
Jan 15, 2025 17:13:52.157753944 CET	50375	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.157820940 CET	50376	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.157861948 CET	50376	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:13:52.162753105 CET	445	50376	24.145.43.2	192.168.2.6
Jan 15, 2025 17:13:52.600877047 CET	50377	445	192.168.2.6	221.250.196.145
Jan 15, 2025 17:13:52.605868101 CET	445	50377	221.250.196.145	192.168.2.6
Jan 15, 2025 17:13:52.606192112 CET	50377	445	192.168.2.6	221.250.196.145
Jan 15, 2025 17:13:52.606192112 CET	50377	445	192.168.2.6	221.250.196.145
Jan 15, 2025 17:13:52.606303930 CET	50378	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.611331940 CET	445	50378	221.250.196.1	192.168.2.6
Jan 15, 2025 17:13:52.611393929 CET	50378	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.611432076 CET	50378	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.611543894 CET	445	50377	221.250.196.145	192.168.2.6
Jan 15, 2025 17:13:52.611773968 CET	50379	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.616729021 CET	445	50379	221.250.196.1	192.168.2.6
Jan 15, 2025 17:13:52.616911888 CET	50379	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.616913080 CET	50379	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.617208004 CET	445	50377	221.250.196.145	192.168.2.6
Jan 15, 2025 17:13:52.617321968 CET	445	50378	221.250.196.1	192.168.2.6
Jan 15, 2025 17:13:52.617371082 CET	50378	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:13:52.617378950 CET	50377	445	192.168.2.6	221.250.196.145
Jan 15, 2025 17:13:52.621769905 CET	445	50379	221.250.196.1	192.168.2.6
Jan 15, 2025 17:13:52.738945961 CET	445	50370	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:52.739140034 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:52.739140034 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:52.740684032 CET	50370	445	192.168.2.6	126.217.0.7
Jan 15, 2025 17:13:52.744077921 CET	445	50370	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:52.745492935 CET	445	50370	126.217.0.7	192.168.2.6
Jan 15, 2025 17:13:52.803622961 CET	50380	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.808465004 CET	445	50380	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:52.808554888 CET	50380	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.808593988 CET	50380	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.808955908 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.813707113 CET	445	50380	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:52.813766003 CET	50380	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.813849926 CET	445	50381	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:52.814003944 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.814003944 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:52.818979025 CET	445	50381	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:52.866105080 CET	50382	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:52.871087074 CET	445	50382	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:52.871181011 CET	50382	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:52.871205091 CET	50382	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:13:52.876108885 CET	445	50382	131.24.232.1	192.168.2.6
Jan 15, 2025 17:13:52.991167068 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:52.996058941 CET	445	50383	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:52.996150017 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:52.996289015 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:53.001586914 CET	445	50383	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:53.538388014 CET	50385	445	192.168.2.6	201.222.228.147
Jan 15, 2025 17:13:53.543401003 CET	445	50385	201.222.228.147	192.168.2.6
Jan 15, 2025 17:13:53.543643951 CET	50385	445	192.168.2.6	201.222.228.147
Jan 15, 2025 17:13:53.543643951 CET	50385	445	192.168.2.6	201.222.228.147
Jan 15, 2025 17:13:53.543760061 CET	50386	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.548635960 CET	445	50386	201.222.228.1	192.168.2.6
Jan 15, 2025 17:13:53.548724890 CET	50386	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.548726082 CET	50386	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.549164057 CET	50387	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.550498962 CET	445	50385	201.222.228.147	192.168.2.6
Jan 15, 2025 17:13:53.550708055 CET	50385	445	192.168.2.6	201.222.228.147
Jan 15, 2025 17:13:53.553868055 CET	445	50386	201.222.228.1	192.168.2.6
Jan 15, 2025 17:13:53.553992033 CET	50386	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.554106951 CET	445	50387	201.222.228.1	192.168.2.6
Jan 15, 2025 17:13:53.554194927 CET	50387	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.554239988 CET	50387	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:13:53.559027910 CET	445	50387	201.222.228.1	192.168.2.6
Jan 15, 2025 17:13:53.899211884 CET	445	50204	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:53.899292946 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:53.899389029 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:53.899389029 CET	50204	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:53.904611111 CET	445	50204	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:53.904652119 CET	445	50204	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:54.056875944 CET	445	50207	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:54.056951046 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:54.056992054 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:54.057050943 CET	50207	445	192.168.2.6	32.209.198.1
Jan 15, 2025 17:13:54.063287973 CET	445	50207	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:54.063302040 CET	445	50207	32.209.198.1	192.168.2.6
Jan 15, 2025 17:13:54.116213083 CET	50388	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.121074915 CET	445	50388	32.209.198.2	192.168.2.6
Jan 15, 2025 17:13:54.121248960 CET	50388	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.121330023 CET	50388	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.121701956 CET	50389	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.126328945 CET	445	50388	32.209.198.2	192.168.2.6
Jan 15, 2025 17:13:54.126405001 CET	50388	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.126475096 CET	445	50389	32.209.198.2	192.168.2.6
Jan 15, 2025 17:13:54.126554012 CET	50389	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.126605034 CET	50389	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:13:54.133239985 CET	445	50389	32.209.198.2	192.168.2.6
Jan 15, 2025 17:13:54.413235903 CET	50390	445	192.168.2.6	163.74.34.120
Jan 15, 2025 17:13:54.418370008 CET	445	50390	163.74.34.120	192.168.2.6
Jan 15, 2025 17:13:54.418493986 CET	50390	445	192.168.2.6	163.74.34.120
Jan 15, 2025 17:13:54.418606043 CET	50390	445	192.168.2.6	163.74.34.120
Jan 15, 2025 17:13:54.418839931 CET	50391	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.423566103 CET	445	50390	163.74.34.120	192.168.2.6
Jan 15, 2025 17:13:54.423719883 CET	445	50391	163.74.34.1	192.168.2.6
Jan 15, 2025 17:13:54.423798084 CET	445	50390	163.74.34.120	192.168.2.6
Jan 15, 2025 17:13:54.423799992 CET	50391	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.423854113 CET	50390	445	192.168.2.6	163.74.34.120
Jan 15, 2025 17:13:54.423898935 CET	50391	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.424247980 CET	50392	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.428760052 CET	445	50391	163.74.34.1	192.168.2.6
Jan 15, 2025 17:13:54.428832054 CET	50391	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.429099083 CET	445	50392	163.74.34.1	192.168.2.6
Jan 15, 2025 17:13:54.429167986 CET	50392	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.429208040 CET	50392	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:13:54.434138060 CET	445	50392	163.74.34.1	192.168.2.6
Jan 15, 2025 17:13:54.574920893 CET	445	50383	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:54.574995041 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:54.575062990 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:54.575166941 CET	50383	445	192.168.2.6	153.9.75.7
Jan 15, 2025 17:13:54.580009937 CET	445	50383	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:54.580039978 CET	445	50383	153.9.75.7	192.168.2.6
Jan 15, 2025 17:13:54.661775112 CET	50393	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.666894913 CET	445	50393	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:54.667114019 CET	50393	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.667114019 CET	50393	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.667553902 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.672158003 CET	445	50393	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:54.672329903 CET	50393	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.672425985 CET	445	50394	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:54.672488928 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.672519922 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:54.677308083 CET	445	50394	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:54.689687014 CET	445	50381	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:54.689747095 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:54.689860106 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:54.689912081 CET	50381	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:54.694602966 CET	445	50381	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:54.694694042 CET	445	50381	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:54.897252083 CET	50395	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:54.902100086 CET	445	50395	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:54.902213097 CET	50395	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:54.902230024 CET	50395	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:13:54.907001972 CET	445	50395	107.234.183.1	192.168.2.6
Jan 15, 2025 17:13:55.241379976 CET	50396	445	192.168.2.6	206.195.253.220
Jan 15, 2025 17:13:55.246179104 CET	445	50396	206.195.253.220	192.168.2.6
Jan 15, 2025 17:13:55.246260881 CET	50396	445	192.168.2.6	206.195.253.220
Jan 15, 2025 17:13:55.246337891 CET	50396	445	192.168.2.6	206.195.253.220
Jan 15, 2025 17:13:55.246494055 CET	50397	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.251235962 CET	445	50397	206.195.253.1	192.168.2.6
Jan 15, 2025 17:13:55.251296043 CET	50397	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.251323938 CET	50397	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.251523972 CET	445	50396	206.195.253.220	192.168.2.6
Jan 15, 2025 17:13:55.251708031 CET	50398	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.256484985 CET	445	50398	206.195.253.1	192.168.2.6
Jan 15, 2025 17:13:55.256540060 CET	50398	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.256597042 CET	50398	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.259538889 CET	445	50397	206.195.253.1	192.168.2.6
Jan 15, 2025 17:13:55.260538101 CET	445	50396	206.195.253.220	192.168.2.6
Jan 15, 2025 17:13:55.260581017 CET	50396	445	192.168.2.6	206.195.253.220
Jan 15, 2025 17:13:55.260832071 CET	445	50397	206.195.253.1	192.168.2.6
Jan 15, 2025 17:13:55.260874987 CET	50397	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:13:55.261372089 CET	445	50398	206.195.253.1	192.168.2.6
Jan 15, 2025 17:13:56.006959915 CET	50399	445	192.168.2.6	86.64.193.173
Jan 15, 2025 17:13:56.012022018 CET	445	50399	86.64.193.173	192.168.2.6
Jan 15, 2025 17:13:56.012176037 CET	50399	445	192.168.2.6	86.64.193.173
Jan 15, 2025 17:13:56.012300014 CET	50399	445	192.168.2.6	86.64.193.173
Jan 15, 2025 17:13:56.012310982 CET	50400	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.017122030 CET	445	50400	86.64.193.1	192.168.2.6
Jan 15, 2025 17:13:56.017211914 CET	50400	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.017213106 CET	50400	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.017348051 CET	445	50399	86.64.193.173	192.168.2.6
Jan 15, 2025 17:13:56.017402887 CET	50399	445	192.168.2.6	86.64.193.173
Jan 15, 2025 17:13:56.017564058 CET	50401	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.022212029 CET	445	50400	86.64.193.1	192.168.2.6
Jan 15, 2025 17:13:56.022291899 CET	50400	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.022352934 CET	445	50401	86.64.193.1	192.168.2.6
Jan 15, 2025 17:13:56.022414923 CET	50401	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.022449970 CET	50401	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:13:56.027245045 CET	445	50401	86.64.193.1	192.168.2.6
Jan 15, 2025 17:13:56.133447886 CET	445	50223	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:56.133567095 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:56.133647919 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:56.133745909 CET	50223	445	192.168.2.6	64.71.233.1
Jan 15, 2025 17:13:56.138668060 CET	445	50223	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:56.138678074 CET	445	50223	64.71.233.1	192.168.2.6
Jan 15, 2025 17:13:56.178791046 CET	445	50394	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:56.178896904 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:56.178909063 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:56.178950071 CET	50394	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:56.183780909 CET	445	50394	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:56.183789968 CET	445	50394	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:56.194463968 CET	50402	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.199378967 CET	445	50402	64.71.233.2	192.168.2.6
Jan 15, 2025 17:13:56.199487925 CET	50402	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.199489117 CET	50402	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.199812889 CET	50403	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.204454899 CET	445	50402	64.71.233.2	192.168.2.6
Jan 15, 2025 17:13:56.204592943 CET	50402	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.204629898 CET	445	50403	64.71.233.2	192.168.2.6
Jan 15, 2025 17:13:56.204691887 CET	50403	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.204736948 CET	50403	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:13:56.209486008 CET	445	50403	64.71.233.2	192.168.2.6
Jan 15, 2025 17:13:56.912950993 CET	50405	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:56.917754889 CET	445	50405	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:56.917862892 CET	50405	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:56.917953014 CET	50405	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:13:56.922772884 CET	445	50405	146.244.82.1	192.168.2.6
Jan 15, 2025 17:13:57.694185019 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:57.699116945 CET	445	50407	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:57.699196100 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:57.699233055 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:57.704082012 CET	445	50407	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:57.951608896 CET	445	50242	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:57.951736927 CET	50242	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:57.951797009 CET	50242	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:57.951797962 CET	50242	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:13:57.956612110 CET	445	50242	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:57.956625938 CET	445	50242	217.163.243.1	192.168.2.6
Jan 15, 2025 17:13:59.194103956 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:59.198930025 CET	445	50415	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:59.199032068 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:59.199054956 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:13:59.203885078 CET	445	50415	153.9.75.8	192.168.2.6
Jan 15, 2025 17:13:59.628976107 CET	445	50407	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:59.629323959 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:59.629323959 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:59.629323959 CET	50407	445	192.168.2.6	126.217.0.8
Jan 15, 2025 17:13:59.634248972 CET	445	50407	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:59.634267092 CET	445	50407	126.217.0.8	192.168.2.6
Jan 15, 2025 17:13:59.694464922 CET	50418	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.699289083 CET	445	50418	126.217.0.9	192.168.2.6
Jan 15, 2025 17:13:59.699460030 CET	50418	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.699460030 CET	50418	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.699846029 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.704648018 CET	445	50418	126.217.0.9	192.168.2.6
Jan 15, 2025 17:13:59.704724073 CET	445	50419	126.217.0.9	192.168.2.6
Jan 15, 2025 17:13:59.704782963 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.704804897 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.704807043 CET	50418	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:13:59.709625006 CET	445	50419	126.217.0.9	192.168.2.6
Jan 15, 2025 17:13:59.963342905 CET	445	50258	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:59.963614941 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:59.963615894 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:59.963615894 CET	50258	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:13:59.968705893 CET	445	50258	183.177.251.1	192.168.2.6
Jan 15, 2025 17:13:59.968738079 CET	445	50258	183.177.251.1	192.168.2.6
Jan 15, 2025 17:14:00.164554119 CET	445	50261	176.57.93.1	192.168.2.6
Jan 15, 2025 17:14:00.164812088 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:14:00.164812088 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:14:00.164915085 CET	50261	445	192.168.2.6	176.57.93.1
Jan 15, 2025 17:14:00.169765949 CET	445	50261	176.57.93.1	192.168.2.6
Jan 15, 2025 17:14:00.169785023 CET	445	50261	176.57.93.1	192.168.2.6
Jan 15, 2025 17:14:00.225740910 CET	50423	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.230577946 CET	445	50423	176.57.93.2	192.168.2.6
Jan 15, 2025 17:14:00.230674982 CET	50423	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.230716944 CET	50423	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.231194019 CET	50424	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.236001968 CET	445	50424	176.57.93.2	192.168.2.6
Jan 15, 2025 17:14:00.236095905 CET	50424	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.236134052 CET	50424	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.239563942 CET	445	50423	176.57.93.2	192.168.2.6
Jan 15, 2025 17:14:00.240874052 CET	445	50424	176.57.93.2	192.168.2.6
Jan 15, 2025 17:14:00.261924028 CET	445	50423	176.57.93.2	192.168.2.6
Jan 15, 2025 17:14:00.262042046 CET	50423	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:00.728893042 CET	445	50415	153.9.75.8	192.168.2.6
Jan 15, 2025 17:14:00.729109049 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:14:00.729110003 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:14:00.729110003 CET	50415	445	192.168.2.6	153.9.75.8
Jan 15, 2025 17:14:00.734023094 CET	445	50415	153.9.75.8	192.168.2.6
Jan 15, 2025 17:14:00.734039068 CET	445	50415	153.9.75.8	192.168.2.6
Jan 15, 2025 17:14:00.788346052 CET	50430	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.793344021 CET	445	50430	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:00.793495893 CET	50430	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.793570995 CET	50430	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.793937922 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.798569918 CET	445	50430	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:00.798666954 CET	50430	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.798733950 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:00.798831940 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.798897982 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:00.803675890 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:00.959935904 CET	50433	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:14:00.964766979 CET	445	50433	217.163.243.1	192.168.2.6
Jan 15, 2025 17:14:00.964848995 CET	50433	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:14:00.964878082 CET	50433	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:14:00.969640017 CET	445	50433	217.163.243.1	192.168.2.6
Jan 15, 2025 17:14:01.618029118 CET	445	50419	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:01.618109941 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:01.618146896 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:01.618191957 CET	50419	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:01.622951031 CET	445	50419	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:01.622988939 CET	445	50419	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:01.837286949 CET	445	50277	187.139.204.1	192.168.2.6
Jan 15, 2025 17:14:01.837373972 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:01.837431908 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:01.837493896 CET	50277	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:01.842400074 CET	445	50277	187.139.204.1	192.168.2.6
Jan 15, 2025 17:14:01.842428923 CET	445	50277	187.139.204.1	192.168.2.6
Jan 15, 2025 17:14:02.199691057 CET	445	50280	202.166.106.1	192.168.2.6
Jan 15, 2025 17:14:02.200047970 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:14:02.208703995 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:14:02.208735943 CET	50280	445	192.168.2.6	202.166.106.1
Jan 15, 2025 17:14:02.213534117 CET	445	50280	202.166.106.1	192.168.2.6
Jan 15, 2025 17:14:02.213562965 CET	445	50280	202.166.106.1	192.168.2.6
Jan 15, 2025 17:14:02.313057899 CET	50447	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.514353037 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:02.514422894 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:02.514463902 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:02.514493942 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:02.515408993 CET	445	50447	202.166.106.2	192.168.2.6
Jan 15, 2025 17:14:02.515499115 CET	50447	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.515547991 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:02.515571117 CET	50447	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.515588045 CET	50431	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:02.519505024 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:02.519532919 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:02.520009041 CET	50453	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.520490885 CET	445	50431	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:02.520669937 CET	445	50447	202.166.106.2	192.168.2.6
Jan 15, 2025 17:14:02.520725012 CET	50447	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.524904966 CET	445	50453	202.166.106.2	192.168.2.6
Jan 15, 2025 17:14:02.524979115 CET	50453	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.531124115 CET	50453	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:02.536056042 CET	445	50453	202.166.106.2	192.168.2.6
Jan 15, 2025 17:14:02.975367069 CET	50458	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:14:02.980317116 CET	445	50458	183.177.251.1	192.168.2.6
Jan 15, 2025 17:14:02.980549097 CET	50458	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:14:02.980699062 CET	50458	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:14:02.985560894 CET	445	50458	183.177.251.1	192.168.2.6
Jan 15, 2025 17:14:03.572737932 CET	445	50296	5.166.179.1	192.168.2.6
Jan 15, 2025 17:14:03.572829008 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:03.572953939 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:03.572990894 CET	50296	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:03.577796936 CET	445	50296	5.166.179.1	192.168.2.6
Jan 15, 2025 17:14:03.577811003 CET	445	50296	5.166.179.1	192.168.2.6
Jan 15, 2025 17:14:04.205792904 CET	445	50304	158.219.90.1	192.168.2.6
Jan 15, 2025 17:14:04.206007004 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:14:04.206053972 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:14:04.206089973 CET	50304	445	192.168.2.6	158.219.90.1
Jan 15, 2025 17:14:04.210799932 CET	445	50304	158.219.90.1	192.168.2.6
Jan 15, 2025 17:14:04.210978031 CET	445	50304	158.219.90.1	192.168.2.6
Jan 15, 2025 17:14:04.256953955 CET	50483	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.261876106 CET	445	50483	158.219.90.2	192.168.2.6
Jan 15, 2025 17:14:04.261965036 CET	50483	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.262012959 CET	50483	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.262550116 CET	50484	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.267409086 CET	445	50484	158.219.90.2	192.168.2.6
Jan 15, 2025 17:14:04.267504930 CET	50484	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.267504930 CET	50484	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.267537117 CET	445	50483	158.219.90.2	192.168.2.6
Jan 15, 2025 17:14:04.267977953 CET	445	50483	158.219.90.2	192.168.2.6
Jan 15, 2025 17:14:04.268023014 CET	50483	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:04.272440910 CET	445	50484	158.219.90.2	192.168.2.6
Jan 15, 2025 17:14:04.631596088 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:04.636460066 CET	445	50490	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:04.636533022 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:04.636559963 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:04.641330957 CET	445	50490	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:04.850382090 CET	50499	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:04.855427980 CET	445	50499	187.139.204.1	192.168.2.6
Jan 15, 2025 17:14:04.855509043 CET	50499	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:04.855545998 CET	50499	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:04.860338926 CET	445	50499	187.139.204.1	192.168.2.6
Jan 15, 2025 17:14:05.399183989 CET	445	50315	178.254.121.1	192.168.2.6
Jan 15, 2025 17:14:05.399277925 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:14:05.399322033 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:14:05.399359941 CET	50315	445	192.168.2.6	178.254.121.1
Jan 15, 2025 17:14:05.404310942 CET	445	50315	178.254.121.1	192.168.2.6
Jan 15, 2025 17:14:05.404339075 CET	445	50315	178.254.121.1	192.168.2.6
Jan 15, 2025 17:14:05.522301912 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:05.527298927 CET	445	50516	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:05.527383089 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:05.527426004 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:05.532269955 CET	445	50516	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:06.180325985 CET	445	50321	166.43.168.1	192.168.2.6
Jan 15, 2025 17:14:06.180439949 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:14:06.180440903 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:14:06.180529118 CET	50321	445	192.168.2.6	166.43.168.1
Jan 15, 2025 17:14:06.185396910 CET	445	50321	166.43.168.1	192.168.2.6
Jan 15, 2025 17:14:06.185425997 CET	445	50321	166.43.168.1	192.168.2.6
Jan 15, 2025 17:14:06.241101980 CET	50542	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.246089935 CET	445	50542	166.43.168.2	192.168.2.6
Jan 15, 2025 17:14:06.246303082 CET	50542	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.246303082 CET	50542	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.246453047 CET	50543	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.251346111 CET	445	50543	166.43.168.2	192.168.2.6
Jan 15, 2025 17:14:06.251409054 CET	50543	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.251431942 CET	50543	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.251646042 CET	445	50542	166.43.168.2	192.168.2.6
Jan 15, 2025 17:14:06.256264925 CET	445	50543	166.43.168.2	192.168.2.6
Jan 15, 2025 17:14:06.258532047 CET	445	50542	166.43.168.2	192.168.2.6
Jan 15, 2025 17:14:06.258610964 CET	50542	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:06.466382980 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:06.466474056 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:06.466564894 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:06.467256069 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:06.467295885 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:06.505723000 CET	445	50490	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:06.505796909 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:06.505837917 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:06.505837917 CET	50490	445	192.168.2.6	126.217.0.9
Jan 15, 2025 17:14:06.510756016 CET	445	50490	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:06.510783911 CET	445	50490	126.217.0.9	192.168.2.6
Jan 15, 2025 17:14:06.569282055 CET	50560	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.574223995 CET	445	50560	126.217.0.10	192.168.2.6
Jan 15, 2025 17:14:06.574297905 CET	50560	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.574335098 CET	50560	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.574753046 CET	50561	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.579292059 CET	445	50560	126.217.0.10	192.168.2.6
Jan 15, 2025 17:14:06.579353094 CET	50560	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.579623938 CET	445	50561	126.217.0.10	192.168.2.6
Jan 15, 2025 17:14:06.579698086 CET	50561	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.579742908 CET	50561	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:06.584574938 CET	445	50561	126.217.0.10	192.168.2.6
Jan 15, 2025 17:14:06.584841013 CET	50563	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:06.589782000 CET	445	50563	5.166.179.1	192.168.2.6
Jan 15, 2025 17:14:06.589842081 CET	50563	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:06.589859962 CET	50563	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:06.594676018 CET	445	50563	5.166.179.1	192.168.2.6
Jan 15, 2025 17:14:06.726596117 CET	445	50327	167.139.11.1	192.168.2.6
Jan 15, 2025 17:14:06.726713896 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:14:06.726932049 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:14:06.726932049 CET	50327	445	192.168.2.6	167.139.11.1
Jan 15, 2025 17:14:06.731751919 CET	445	50327	167.139.11.1	192.168.2.6
Jan 15, 2025 17:14:06.731761932 CET	445	50327	167.139.11.1	192.168.2.6
Jan 15, 2025 17:14:07.025985003 CET	445	50516	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:07.026129007 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:07.026129007 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:07.026129007 CET	50516	445	192.168.2.6	153.9.75.9
Jan 15, 2025 17:14:07.030935049 CET	445	50516	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:07.030946970 CET	445	50516	153.9.75.9	192.168.2.6
Jan 15, 2025 17:14:07.085072041 CET	50598	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.089926958 CET	445	50598	153.9.75.10	192.168.2.6
Jan 15, 2025 17:14:07.089984894 CET	50598	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.090020895 CET	50598	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.090280056 CET	50600	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.095060110 CET	445	50598	153.9.75.10	192.168.2.6
Jan 15, 2025 17:14:07.095072985 CET	445	50600	153.9.75.10	192.168.2.6
Jan 15, 2025 17:14:07.095102072 CET	50598	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.095138073 CET	50600	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.095181942 CET	50600	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:07.099936962 CET	445	50600	153.9.75.10	192.168.2.6
Jan 15, 2025 17:14:07.267821074 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.268131971 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.269656897 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.269715071 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.270498991 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.272281885 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.272281885 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.272281885 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.272383928 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.315341949 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.443772078 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.443959951 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:07.444199085 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.444364071 CET	50557	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:07.444406033 CET	443	50557	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:08.170254946 CET	445	50341	215.114.213.1	192.168.2.6
Jan 15, 2025 17:14:08.170429945 CET	50341	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:14:08.182214975 CET	445	50342	128.171.224.1	192.168.2.6
Jan 15, 2025 17:14:08.182308912 CET	50342	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:14:08.456185102 CET	445	50561	126.217.0.10	192.168.2.6
Jan 15, 2025 17:14:08.456275940 CET	50561	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:08.497664928 CET	50376	445	192.168.2.6	24.145.43.2
Jan 15, 2025 17:14:08.497709990 CET	50424	445	192.168.2.6	176.57.93.2
Jan 15, 2025 17:14:08.497759104 CET	50382	445	192.168.2.6	131.24.232.1
Jan 15, 2025 17:14:08.497792959 CET	50363	445	192.168.2.6	67.15.60.1
Jan 15, 2025 17:14:08.497817039 CET	50389	445	192.168.2.6	32.209.198.2
Jan 15, 2025 17:14:08.497911930 CET	50342	445	192.168.2.6	128.171.224.1
Jan 15, 2025 17:14:08.497960091 CET	50366	445	192.168.2.6	72.24.241.1
Jan 15, 2025 17:14:08.497982025 CET	50349	445	192.168.2.6	86.67.1.3
Jan 15, 2025 17:14:08.497982025 CET	50341	445	192.168.2.6	215.114.213.1
Jan 15, 2025 17:14:08.497982025 CET	50357	445	192.168.2.6	199.103.224.1
Jan 15, 2025 17:14:08.498023987 CET	50374	445	192.168.2.6	191.42.119.1
Jan 15, 2025 17:14:08.498045921 CET	50379	445	192.168.2.6	221.250.196.1
Jan 15, 2025 17:14:08.498075008 CET	50395	445	192.168.2.6	107.234.183.1
Jan 15, 2025 17:14:08.498097897 CET	50369	445	192.168.2.6	44.163.244.1
Jan 15, 2025 17:14:08.498104095 CET	50371	445	192.168.2.6	35.167.167.1
Jan 15, 2025 17:14:08.498125076 CET	50392	445	192.168.2.6	163.74.34.1
Jan 15, 2025 17:14:08.498147011 CET	50398	445	192.168.2.6	206.195.253.1
Jan 15, 2025 17:14:08.498173952 CET	50401	445	192.168.2.6	86.64.193.1
Jan 15, 2025 17:14:08.498217106 CET	50405	445	192.168.2.6	146.244.82.1
Jan 15, 2025 17:14:08.498219013 CET	50387	445	192.168.2.6	201.222.228.1
Jan 15, 2025 17:14:08.498241901 CET	50561	445	192.168.2.6	126.217.0.10
Jan 15, 2025 17:14:08.498286963 CET	50433	445	192.168.2.6	217.163.243.1
Jan 15, 2025 17:14:08.498330116 CET	50458	445	192.168.2.6	183.177.251.1
Jan 15, 2025 17:14:08.498336077 CET	50403	445	192.168.2.6	64.71.233.2
Jan 15, 2025 17:14:08.498357058 CET	50453	445	192.168.2.6	202.166.106.2
Jan 15, 2025 17:14:08.498367071 CET	50499	445	192.168.2.6	187.139.204.1
Jan 15, 2025 17:14:08.498393059 CET	50484	445	192.168.2.6	158.219.90.2
Jan 15, 2025 17:14:08.498485088 CET	50563	445	192.168.2.6	5.166.179.1
Jan 15, 2025 17:14:08.498522997 CET	50543	445	192.168.2.6	166.43.168.2
Jan 15, 2025 17:14:08.498735905 CET	50600	445	192.168.2.6	153.9.75.10
Jan 15, 2025 17:14:31.719113111 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:31.719219923 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:31.719382048 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:31.720134020 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:31.720175028 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.595731974 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.596021891 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.599580050 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.599602938 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.600105047 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.602221966 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.602304935 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.602317095 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.602510929 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.647342920 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.777264118 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.777448893 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:32.777673006 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:32.777673006 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:33.084652901 CET	50670	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:14:33.084722996 CET	443	50670	40.113.103.199	192.168.2.6
Jan 15, 2025 17:14:35.819552898 CET	49703	443	192.168.2.6	40.126.32.134
Jan 15, 2025 17:14:35.825242996 CET	443	49703	40.126.32.134	192.168.2.6
Jan 15, 2025 17:14:35.825438976 CET	49703	443	192.168.2.6	40.126.32.134
Jan 15, 2025 17:14:38.209959030 CET	49707	443	192.168.2.6	40.126.32.134
Jan 15, 2025 17:14:38.215337992 CET	443	49707	40.126.32.134	192.168.2.6
Jan 15, 2025 17:14:38.215394974 CET	49707	443	192.168.2.6	40.126.32.134
Jan 15, 2025 17:15:03.044248104 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.044285059 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.044339895 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.044836044 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.044847965 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.838601112 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.838673115 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.840564013 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.840574026 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.841114044 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.842817068 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.842901945 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.842906952 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:03.843033075 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:03.887337923 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:04.029014111 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:04.029201984 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:04.029289007 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:04.029347897 CET	50671	443	192.168.2.6	40.113.103.199
Jan 15, 2025 17:15:04.029386997 CET	443	50671	40.113.103.199	192.168.2.6
Jan 15, 2025 17:15:08.537110090 CET	50672	445	192.168.2.6	137.14.114.148
Jan 15, 2025 17:15:08.542097092 CET	445	50672	137.14.114.148	192.168.2.6
Jan 15, 2025 17:15:08.542175055 CET	50672	445	192.168.2.6	137.14.114.148
Jan 15, 2025 17:15:08.542217016 CET	50672	445	192.168.2.6	137.14.114.148
Jan 15, 2025 17:15:08.542334080 CET	50673	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.547192097 CET	445	50672	137.14.114.148	192.168.2.6
Jan 15, 2025 17:15:08.547213078 CET	445	50673	137.14.114.1	192.168.2.6
Jan 15, 2025 17:15:08.547243118 CET	50672	445	192.168.2.6	137.14.114.148
Jan 15, 2025 17:15:08.547270060 CET	50673	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.547305107 CET	50673	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.547569990 CET	50676	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.552201986 CET	445	50673	137.14.114.1	192.168.2.6
Jan 15, 2025 17:15:08.552248955 CET	50673	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.552383900 CET	445	50676	137.14.114.1	192.168.2.6
Jan 15, 2025 17:15:08.552454948 CET	50676	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.552531004 CET	50676	445	192.168.2.6	137.14.114.1
Jan 15, 2025 17:15:08.557322979 CET	445	50676	137.14.114.1	192.168.2.6

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:13:03 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 63 45 32 52 38 4b 6a 44 6e 55 75 72 74 2f 7a 71 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 37 65 64 64 64 37 31 62 62 30 33 33 32 64 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: cE2R8KjDnUurt/zq.1Context: a7eddd71bb0332df
2025-01-15 16:13:03 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:13:03 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 63 45 32 52 38 4b 6a 44 6e 55 75 72 74 2f 7a 71 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 37 65 64 64 64 37 31 62 62 30 33 33 32 64 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: cE2R8KjDnUurt/zq.2Context: a7eddd71bb0332df<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:13:03 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 63 45 32 52 38 4b 6a 44 6e 55 75 72 74 2f 7a 71 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 37 65 64 64 64 37 31 62 62 30 33 33 32 64 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: cE2R8KjDnUurt/zq.3Context: a7eddd71bb0332df<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:13:03 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:13:03 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2f 63 65 67 63 4b 2f 6a 57 30 47 34 59 37 50 56 77 2f 44 39 39 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: /cegcK/jW0G4Y7PVw/D99A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49806	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:13:11 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6a 76 6e 36 4b 6e 56 59 4b 45 32 75 2f 2b 37 4a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 30 38 65 33 36 35 38 66 33 31 30 66 33 62 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: jvn6KnVYKE2u/+7J.1Context: 608e3658f310f3b2
2025-01-15 16:13:11 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:13:11 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6a 76 6e 36 4b 6e 56 59 4b 45 32 75 2f 2b 37 4a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 30 38 65 33 36 35 38 66 33 31 30 66 33 62 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: jvn6KnVYKE2u/+7J.2Context: 608e3658f310f3b2<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:13:11 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6a 76 6e 36 4b 6e 56 59 4b 45 32 75 2f 2b 37 4a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 30 38 65 33 36 35 38 66 33 31 30 66 33 62 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: jvn6KnVYKE2u/+7J.3Context: 608e3658f310f3b2<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:13:11 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:13:11 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 4d 43 54 66 34 4f 38 66 30 6b 57 70 47 59 46 52 54 75 49 77 74 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: MCTf4O8f0kWpGYFRTuIwtA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50048	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:13:23 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 39 56 45 77 50 52 31 2f 58 55 57 46 6f 54 5a 63 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 35 33 39 38 61 39 32 66 65 61 39 37 34 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 9VEwPR1/XUWFoTZc.1Context: c25398a92fea9742
2025-01-15 16:13:23 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:13:23 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 39 56 45 77 50 52 31 2f 58 55 57 46 6f 54 5a 63 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 35 33 39 38 61 39 32 66 65 61 39 37 34 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 9VEwPR1/XUWFoTZc.2Context: c25398a92fea9742<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:13:23 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 39 56 45 77 50 52 31 2f 58 55 57 46 6f 54 5a 63 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 32 35 33 39 38 61 39 32 66 65 61 39 37 34 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 9VEwPR1/XUWFoTZc.3Context: c25398a92fea9742<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:13:23 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:13:23 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6c 32 7a 35 69 36 49 4f 55 45 6d 59 31 48 36 4d 62 34 34 45 64 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: l2z5i6IOUEmY1H6Mb44Edg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50290	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:13:42 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 66 69 43 4d 42 47 47 4c 70 6b 6d 2f 45 4a 4e 59 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 35 39 34 38 31 33 63 36 34 33 39 62 64 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: fiCMBGGLpkm/EJNY.1Context: 27594813c6439bdf
2025-01-15 16:13:42 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:13:42 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 66 69 43 4d 42 47 47 4c 70 6b 6d 2f 45 4a 4e 59 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 35 39 34 38 31 33 63 36 34 33 39 62 64 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: fiCMBGGLpkm/EJNY.2Context: 27594813c6439bdf<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:13:42 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 66 69 43 4d 42 47 47 4c 70 6b 6d 2f 45 4a 4e 59 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 35 39 34 38 31 33 63 36 34 33 39 62 64 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: fiCMBGGLpkm/EJNY.3Context: 27594813c6439bdf<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:13:42 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:13:42 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 47 35 74 48 49 67 73 31 5a 30 75 6e 78 77 46 4f 35 65 46 57 4f 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: G5tHIgs1Z0unxwFO5eFWOw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50557	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:14:07 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 6c 2b 34 4e 4b 6e 55 59 30 65 42 69 6b 57 55 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 38 34 31 35 66 31 39 63 61 33 63 36 39 34 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Nl+4NKnUY0eBikWU.1Context: 38415f19ca3c6946
2025-01-15 16:14:07 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:14:07 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 6c 2b 34 4e 4b 6e 55 59 30 65 42 69 6b 57 55 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 38 34 31 35 66 31 39 63 61 33 63 36 39 34 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Nl+4NKnUY0eBikWU.2Context: 38415f19ca3c6946<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:14:07 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4e 6c 2b 34 4e 4b 6e 55 59 30 65 42 69 6b 57 55 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 38 34 31 35 66 31 39 63 61 33 63 36 39 34 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Nl+4NKnUY0eBikWU.3Context: 38415f19ca3c6946<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:14:07 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:14:07 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 51 5a 46 44 49 62 55 44 6f 30 43 35 41 41 4a 45 45 70 4d 79 55 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: QZFDIbUDo0C5AAJEEpMyUA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50670	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:14:32 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 71 6b 6f 6e 75 4e 7a 7a 66 45 57 74 76 2f 72 6e 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 39 32 61 63 65 34 37 36 61 39 34 34 35 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: qkonuNzzfEWtv/rn.1Context: 6992ace476a9445e
2025-01-15 16:14:32 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:14:32 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 71 6b 6f 6e 75 4e 7a 7a 66 45 57 74 76 2f 72 6e 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 39 32 61 63 65 34 37 36 61 39 34 34 35 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: qkonuNzzfEWtv/rn.2Context: 6992ace476a9445e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:14:32 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 71 6b 6f 6e 75 4e 7a 7a 66 45 57 74 76 2f 72 6e 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 39 39 32 61 63 65 34 37 36 61 39 34 34 35 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: qkonuNzzfEWtv/rn.3Context: 6992ace476a9445e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:14:32 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:14:32 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6e 45 31 77 7a 6d 43 74 2b 45 6d 78 34 4b 4e 65 42 74 78 59 34 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: nE1wzmCt+Emx4KNeBtxY4g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	50671	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:15:03 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 42 37 66 67 75 71 72 50 44 45 53 66 71 76 55 44 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 65 38 62 36 34 38 38 33 65 38 61 33 35 31 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: B7fguqrPDESfqvUD.1Context: ee8b64883e8a3518
2025-01-15 16:15:03 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:15:03 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 42 37 66 67 75 71 72 50 44 45 53 66 71 76 55 44 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 65 38 62 36 34 38 38 33 65 38 61 33 35 31 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 6d 73 52 6f 70 43 4a 6d 4b 66 39 63 4b 52 52 76 66 66 32 75 71 67 69 53 6a 6b 50 45 4e 34 52 4d 66 34 4c 76 32 73 39 71 73 36 32 64 30 61 52 6e 4f 2b 49 30 4a 4f 44 79 44 68 38 72 48 33 59 4e 6c 44 41 2f 6e 5a 4f 7a 58 32 4b 73 50 6d 43 30 47 6d 4c 77 59 32 61 43 72 77 71 56 2b 48 55 6e 4f 71 76 42 30 55 6a 77 4a 32 6b 46 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: B7fguqrPDESfqvUD.2Context: ee8b64883e8a3518<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASmsRopCJmKf9cKRRvff2uqgiSjkPEN4RMf4Lv2s9qs62d0aRnO+I0JODyDh8rH3YNlDA/nZOzX2KsPmC0GmLwY2aCrwqV+HUnOqvB0UjwJ2kF
2025-01-15 16:15:03 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 42 37 66 67 75 71 72 50 44 45 53 66 71 76 55 44 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 65 38 62 36 34 38 38 33 65 38 61 33 35 31 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: B7fguqrPDESfqvUD.3Context: ee8b64883e8a3518<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:15:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:15:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 4b 5a 4f 4e 30 31 58 67 36 30 53 52 54 47 4a 79 44 59 34 64 42 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: KZON01Xg60SRTGJyDY4dBA.0Payload parsing failed.

Target ID:	0
Start time:	11:13:01
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll"
Imagebase:	0xff0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:13:01
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:13:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:13:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2lX8Z3eydC.dll,PlayGame
Imagebase:	0x730000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:13:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",#1
Imagebase:	0x730000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:13:02
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	178018208D64CFFD440180008D212F1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2162227567.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:13:03
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	178018208D64CFFD440180008D212F1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2170224322.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2811124459.0000000002292000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2810873658.0000000001D66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:13:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2lX8Z3eydC.dll",PlayGame
Imagebase:	0x730000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:13:04
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	178018208D64CFFD440180008D212F1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2188539151.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2190736841.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	77.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000006.00000002.2180847605.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2180808669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180905286.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181022913.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181118626.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2180847605.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2180808669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180905286.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181022913.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181118626.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2180847605.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2180808669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180905286.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181022913.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181118626.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000006.00000002.2180847605.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2180808669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180905286.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181022913.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181118626.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2180847605.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2180808669.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180905286.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181022913.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2181118626.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 2012, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2810185930.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2810173517.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810198451.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810249542.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810260810.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810332452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000008.00000002.2810185930.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2810173517.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810198451.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810249542.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810260810.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810332452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2810185930.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2810173517.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810198451.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810249542.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810260810.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810332452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
CloseHandle, xrefs: 00407D29
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000008.00000002.2810185930.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2810173517.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810198451.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810249542.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810260810.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810332452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2810185930.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2810173517.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810198451.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810209470.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810249542.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810260810.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2810332452.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: global traffic	TCP traffic: Count: 11 IPs: 126.217.0.2,126.217.0.1,126.217.0.72,126.217.0.4,126.217.0.3,126.217.0.10,126.217.0.9,126.217.0.6,126.217.0.5,126.217.0.8,126.217.0.7
Source: global traffic	TCP traffic: Count: 11 IPs: 153.9.75.6,153.9.75.7,153.9.75.60,153.9.75.4,153.9.75.5,153.9.75.8,153.9.75.9,153.9.75.2,153.9.75.3,153.9.75.1,153.9.75.10

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Yara match	File source: 2lX8Z3eydC.dll, type: SAMPLE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.22838c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d66104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d66104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.2292948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d57084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.2292948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.228e8e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d620a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2180950721.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2170224322.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2162227567.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2810238501.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2188539151.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2190736841.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2811124459.0000000002292000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2810873658.0000000001D66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50290 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50557 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50670 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50671 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.72
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.72
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.72
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.72
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.215
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.215
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.215
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.215
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 24.145.43.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 126.217.0.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.19
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.1
Source: unknown	TCP traffic detected without corresponding DNS query: 32.209.198.1

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50557
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50670
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50671
Source: unknown	Network traffic detected: HTTP traffic on port 50670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50557 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: 2lX8Z3eydC.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d57084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d57084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.22838c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22838c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.22b596c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22b596c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.22838c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22838c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.22838c8.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d89128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d89128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d66104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d66104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1d66104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d89128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d89128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.22b596c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22b596c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.2292948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.2292948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d57084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d57084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1d57084.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.2292948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.228e8e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d620a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2lX8Z3eydC.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
2lX8Z3eydC.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON