Edit tour

Windows Analysis Report
mssecsvc.exe.exe

Overview

General Information

Sample name:	mssecsvc.exe.exe (renamed file extension from malware to exe)
Original sample name:	mssecsvc.exe.malware
Analysis ID:	1651503
MD5:	0c694193ceac8bfb016491ffb534eb7c
SHA1:	3afa73283d1e17de1bde6cc14e19417e70fc9554
SHA256:	dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Connects to several IPs in different countries

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w7x64

mssecsvc.exe.exe (PID: 3504 cmdline: "C:\Users\user\Desktop\mssecsvc.exe.exe" MD5: 0C694193CEAC8BFB016491FFB534EB7C)

tasksche.exe (PID: 3792 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)

mssecsvc.exe.exe (PID: 3676 cmdline: C:\Users\user\Desktop\mssecsvc.exe.exe -m security MD5: 0C694193CEAC8BFB016491FFB534EB7C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt	WannaCry is ransomware that contains a worm component enabled by the EternalBlue exploit. It attempts to use vulnerabilities in the Windows SMBv1 server to remotely compromise systems, encrypt files, and spread to other hosts. Systems that have installed the MS17-010 patch are not vulnerable to the exploits used. The spreading was stopped about 8 hours after initial outbreak due to triggering a kill switch domain.	Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mssecsvc.exe.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
mssecsvc.exe.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
mssecsvc.exe.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
mssecsvc.exe.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
mssecsvc.exe.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.493697479.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.357354210.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.357560055.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.358030594.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.350973560.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.355043612.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe.exe PID: 3504	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe.exe PID: 3676	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\mssecsvc.exe.exe, ProcessId: 3504, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998295+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.22	49161	TCP
2025-03-28T22:13:27.867818+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.22	49162	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.695035+0100	2024291	1	A Network Trojan was detected	192.168.2.22	54562	8.8.8.8	53	UDP
2025-03-28T22:13:27.565802+0100	2024291	1	A Network Trojan was detected	192.168.2.22	52917	8.8.8.8	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998238+0100	2024298	1	A Network Trojan was detected	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024298	1	A Network Trojan was detected	192.168.2.22	49162	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998238+0100	2024299	1	A Network Trojan was detected	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024299	1	A Network Trojan was detected	192.168.2.22	49162	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998238+0100	2024301	1	A Network Trojan was detected	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024301	1	A Network Trojan was detected	192.168.2.22	49162	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998238+0100	2024302	1	A Network Trojan was detected	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024302	1	A Network Trojan was detected	192.168.2.22	49162	104.16.166.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T22:13:26.998238+0100	2803304	3	Unknown Traffic	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2803304	3	Unknown Traffic	192.168.2.22	49162	104.16.166.228	80	TCP

Joe Sandbox Signatures

• AV Detection
• Exploits
• Compliance
• Networking
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mssecsvc.exe.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/AD.WannaCry.sewvt

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe

ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: mssecsvc.exe.exe	ReversingLabs: Detection: 100%
Source: mssecsvc.exe.exe	Virustotal: Detection: 93%			Perma Link

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: mssecsvc.exe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.22:49161 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.22:49161 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.22:49161 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.22:49161 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.22:49162 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.22:49162 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.22:49162 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.22:49162 -> 104.16.166.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 21:13:26 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 927a21a75da023ce-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 21:13:27 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 927a21accb51f797-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: unknown

Network traffic detected: IP country count 22

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.22:54562 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.22:52917 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49161 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49162 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.22:49162

Source: unknown	TCP traffic detected without corresponding DNS query: 179.149.119.240
Source: unknown	TCP traffic detected without corresponding DNS query: 5.161.3.226
Source: unknown	TCP traffic detected without corresponding DNS query: 41.249.225.248
Source: unknown	TCP traffic detected without corresponding DNS query: 60.243.179.166
Source: unknown	TCP traffic detected without corresponding DNS query: 46.78.169.146
Source: unknown	TCP traffic detected without corresponding DNS query: 197.18.246.111
Source: unknown	TCP traffic detected without corresponding DNS query: 197.154.3.137
Source: unknown	TCP traffic detected without corresponding DNS query: 184.42.88.36
Source: unknown	TCP traffic detected without corresponding DNS query: 50.103.164.43
Source: unknown	TCP traffic detected without corresponding DNS query: 219.79.251.133
Source: unknown	TCP traffic detected without corresponding DNS query: 11.80.13.222
Source: unknown	TCP traffic detected without corresponding DNS query: 173.48.34.114
Source: unknown	TCP traffic detected without corresponding DNS query: 207.193.131.196
Source: unknown	TCP traffic detected without corresponding DNS query: 76.85.155.151
Source: unknown	TCP traffic detected without corresponding DNS query: 105.153.176.87
Source: unknown	TCP traffic detected without corresponding DNS query: 143.95.188.165
Source: unknown	TCP traffic detected without corresponding DNS query: 201.11.248.31
Source: unknown	TCP traffic detected without corresponding DNS query: 92.139.187.164
Source: unknown	TCP traffic detected without corresponding DNS query: 206.70.205.171
Source: unknown	TCP traffic detected without corresponding DNS query: 177.35.175.109
Source: unknown	TCP traffic detected without corresponding DNS query: 149.136.152.42
Source: unknown	TCP traffic detected without corresponding DNS query: 193.167.47.61
Source: unknown	TCP traffic detected without corresponding DNS query: 31.165.163.7
Source: unknown	TCP traffic detected without corresponding DNS query: 160.195.89.246
Source: unknown	TCP traffic detected without corresponding DNS query: 25.26.63.98
Source: unknown	TCP traffic detected without corresponding DNS query: 15.243.91.206
Source: unknown	TCP traffic detected without corresponding DNS query: 199.114.150.9
Source: unknown	TCP traffic detected without corresponding DNS query: 66.31.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 156.145.178.95
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.29.32
Source: unknown	TCP traffic detected without corresponding DNS query: 194.147.16.167
Source: unknown	TCP traffic detected without corresponding DNS query: 6.125.30.242
Source: unknown	TCP traffic detected without corresponding DNS query: 149.180.173.172
Source: unknown	TCP traffic detected without corresponding DNS query: 43.26.27.7
Source: unknown	TCP traffic detected without corresponding DNS query: 188.92.66.47
Source: unknown	TCP traffic detected without corresponding DNS query: 7.74.55.124
Source: unknown	TCP traffic detected without corresponding DNS query: 70.38.197.97
Source: unknown	TCP traffic detected without corresponding DNS query: 119.41.187.169
Source: unknown	TCP traffic detected without corresponding DNS query: 53.33.231.37
Source: unknown	TCP traffic detected without corresponding DNS query: 187.49.66.157
Source: unknown	TCP traffic detected without corresponding DNS query: 24.207.133.106
Source: unknown	TCP traffic detected without corresponding DNS query: 117.62.196.67
Source: unknown	TCP traffic detected without corresponding DNS query: 122.166.104.87
Source: unknown	TCP traffic detected without corresponding DNS query: 75.59.51.134
Source: unknown	TCP traffic detected without corresponding DNS query: 41.123.182.192
Source: unknown	TCP traffic detected without corresponding DNS query: 113.90.248.144
Source: unknown	TCP traffic detected without corresponding DNS query: 148.134.135.3
Source: unknown	TCP traffic detected without corresponding DNS query: 1.165.181.98
Source: unknown	TCP traffic detected without corresponding DNS query: 168.55.217.78
Source: unknown	TCP traffic detected without corresponding DNS query: 1.165.100.74

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: mssecsvc.exe.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe.exe, 00000000.00000002.358148762.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe.exe, 00000004.00000002.493648746.00000000002D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe.exe, 00000004.00000002.493631174.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe.exe, 00000004.00000002.493648746.00000000002F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: mssecsvc.exe.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000002.493697479.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358030594.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.350973560.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.355043612.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe.exe PID: 3504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe.exe PID: 3676, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000005.00000000.357354210.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.357560055.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File created: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat			Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

Source: mssecsvc.exe.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.0.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: mssecsvc.exe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: mssecsvc.exe.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000005.00000000.357354210.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.357560055.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 00000005.00000002.357560055.000000000040E000.00000008.00000001.01000000.00000005.sdmp, mssecsvc.exe.exe, tasksche.exe.0.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@4/1@2/100

Source: mssecsvc.exe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: mssecsvc.exe.exe	ReversingLabs: Detection: 100%
Source: mssecsvc.exe.exe	Virustotal: Detection: 93%

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

File read: C:\Users\user\Desktop\mssecsvc.exe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mssecsvc.exe.exe "C:\Users\user\Desktop\mssecsvc.exe.exe"
Source: unknown	Process created: C:\Users\user\Desktop\mssecsvc.exe.exe C:\Users\user\Desktop\mssecsvc.exe.exe -m security
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: mssecsvc.exe.exe

Static file information: File size 3723264 > 1048576

Source: mssecsvc.exe.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3544	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3736	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3748	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3748	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3752	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3756	Thread sleep count: 163 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mssecsvc.exe.exe TID: 3748	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\mssecsvc.exe.exe

Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mssecsvc.exe.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
mssecsvc.exe.exe	93%	Virustotal		Browse
mssecsvc.exe.exe	100%	Avira	TR/AD.WannaCry.bqdjz

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label	Link
https://www.kryptoslogic.com	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	mssecsvc.exe.exe	false		high
https://www.kryptoslogic.com	mssecsvc.exe.exe, 00000004.00000002.493648746.00000000002F3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe.exe, 00000004.00000002.493631174.000000000018C000.00000004.00000010.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
48.187.158.110	unknown	United States	2686	ATGS-MMD-ASUS	false
54.116.157.253	unknown	United States	16509	AMAZON-02US	false
99.8.119.98	unknown	United States	7018	ATT-INTERNET4US	false
94.171.178.161	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
5.19.71.212	unknown	Russian Federation	41733	ZTELECOM-ASRU	false
208.211.201.31	unknown	United States	701	UUNETUS	false
101.224.25.68	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
140.117.16.146	unknown	Taiwan; Republic of China (ROC)	17716	NTU-TWNationalTaiwanUniversityTW	false
89.1.134.73	unknown	Germany	8422	NETCOLOGNEDE	false
146.205.176.228	unknown	United States	6871	PLUSNETUKInternetServiceProviderGB	false
172.174.65.158	unknown	United States	7018	ATT-INTERNET4US	false
108.107.122.201	unknown	United States	10507	SPCSUS	false
47.207.218.58	unknown	United States	5650	FRONTIER-FRTRUS	false
163.158.157.127	unknown	Netherlands	15435	KABELFOONDELTAFiberNederlandNL	false
119.227.153.127	unknown	India	9583	SIFY-AS-INSifyLimitedIN	false
190.219.15.10	unknown	Panama	18809	CableOndaPA	false
56.184.149.100	unknown	United States	2686	ATGS-MMD-ASUS	false
91.54.57.35	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
33.171.101.209	unknown	United States	2686	ATGS-MMD-ASUS	false
88.88.35.227	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
197.203.173.195	unknown	Algeria	36947	ALGTEL-ASDZ	false
207.153.60.229	unknown	United States	10242	USINTERNETUS	false
184.42.88.36	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
47.217.200.31	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
61.0.40.163	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
169.241.72.57	unknown	United States	22164	CCSDUS	false
86.11.57.185	unknown	United Kingdom	5089	NTLGB	false
120.220.204.128	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
73.62.122.29	unknown	United States	7922	COMCAST-7922US	false
73.147.49.137	unknown	United States	7922	COMCAST-7922US	false
108.235.14.36	unknown	United States	7018	ATT-INTERNET4US	false
17.11.229.29	unknown	United States	714	APPLE-ENGINEERINGUS	false
139.16.199.207	unknown	Germany	9905	LINKNET-ID-APLinknetASNID	false
50.76.102.155	unknown	United States	7922	COMCAST-7922US	false
27.253.113.223	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
128.24.67.56	unknown	United States	786	JANETJiscServicesLimitedGB	false
31.165.163.7	unknown	Switzerland	6730	SUNRISECH	false
115.53.69.235	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
23.21.155.227	unknown	United States	14618	AMAZON-AESUS	false
171.176.151.176	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
37.174.65.106	unknown	France	51207	FREEMFR	false
114.86.40.249	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
169.215.77.25	unknown	Korea Republic of	37611	AfrihostZA	false
185.22.86.4	unknown	Italy	12874	FASTWEBIT	false
61.166.54.193	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
36.252.138.242	unknown	Nepal	38565	NCELL-AS-NPNcellPvtLtdNP	false
130.82.143.12	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
68.149.251.220	unknown	Canada	6327	SHAWCA	false
119.41.187.169	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
32.158.251.29	unknown	United States	2686	ATGS-MMD-ASUS	false
203.97.45.90	unknown	New Zealand	4768	VFNZ-INET-ASVodafoneNZLtdNZ	false
27.5.84.185	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	false
112.79.67.193	unknown	India	38266	VODAFONE-INVodafoneIndiaLtdIN	false
78.85.4.49	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
207.106.28.14	unknown	United States	7029	WINDSTREAMUS	false
75.137.181.145	unknown	United States	20115	CHARTER-20115US	false
84.172.176.246	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
98.232.68.241	unknown	United States	7922	COMCAST-7922US	false
74.205.177.150	unknown	Canada	53618	ADITY-OSH-ASCA	false
2.142.134.135	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
187.239.131.71	unknown	Mexico	8151	UninetSAdeCVMX	false
84.213.184.157	unknown	Norway	41164	GET-NOGETNorwayNO	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.127
192.168.2.124
192.168.2.125
192.168.2.128
192.168.2.129
192.168.2.122
192.168.2.123
192.168.2.120
192.168.2.121
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1651503
Start date and time:	2025-03-28 22:12:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mssecsvc.exe.exe (renamed file extension from malware to exe)
Original Sample Name:	mssecsvc.exe.malware
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@4/1@2/100

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:13:24	API Interceptor	3483x Sleep call for process: mssecsvc.exe.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	5V38PCLhiz.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ImPgtzz6o4.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	GeW4GzT8G8.dll	Get hash	malicious	Virut, Wannacry	Browse	104.16.166.228
	JRTn7b1kHg.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	NZZ71x6Cyz.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	bC61G18iPf.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	XB6SkLK7Al.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ue5QSYCBPt.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	jade420.x86.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	13.216.34.24
	SPChaotic.exe	Get hash	malicious	XWorm	Browse	3.126.224.214
	SysRuntime.exe	Get hash	malicious	XWorm	Browse	3.126.224.214
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https://jpmchase.secure.virtru.com/start/%3Fc%3Dexperiment%26t%3Demailtemplate2019-09%26s%3Dddc.sr%2540chase.com%26p%3D7db6612f-a3dd-473a-95ad-f5289da77171%23v%3D3.0.0%26d%3Dhttps%253A%252F%252Fapi.virtru.com%252Fstorage%252Fapi%252Fpolicies%252F7db6612f-a3dd-473a-95ad-f5289da77171%252Fdata%252Fmetadata%26dk%3DoebNRZyiVlMa6AoTyAKeCwLGpwgdjLHhM1YiU6zqddU%253D&E=jwyland%40woodlandsbank.com&X=XID390dcbRyp9059Xd1&T=WDLP&HV=U,E,X,T&H=ec39b06efb6207f560ffe0a7da20e1335f9cfff7	Get hash	malicious	Unknown	Browse	44.225.54.253
	SystemRuntime.exe	Get hash	malicious	XWorm	Browse	3.126.224.214
	clientiac.exe	Get hash	malicious	XWorm	Browse	3.126.224.214
	Clientiawh.exe	Get hash	malicious	XWorm	Browse	3.126.224.214
	https://6uq8xyud.bucpdccx.ru/YSEJz/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	3.168.73.27
	https://L1h.toliviraxen.ru/MzobBPAf/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	13.224.214.119
LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	bimbo-mpsl.elf	Get hash	malicious	Unknown	Browse	89.75.162.14
	bimbo-x86.elf	Get hash	malicious	Unknown	Browse	80.218.194.247
	k03ldc.arm.elf	Get hash	malicious	Unknown	Browse	109.90.234.37
	k03ldc.mpsl.elf	Get hash	malicious	Unknown	Browse	86.49.76.47
	m68k.elf	Get hash	malicious	Unknown	Browse	94.171.245.99
	vjwe68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	88.146.165.82
	bejv86.elf	Get hash	malicious	Mirai	Browse	88.153.178.20
	efjepc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	80.110.209.41
	eehah4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	80.218.194.240
	resgod.sh4.elf	Get hash	malicious	Mirai	Browse	85.124.31.24
ATGS-MMD-ASUS	http://188.114.96.3	Get hash	malicious	Unknown	Browse	34.49.212.111
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https://jpmchase.secure.virtru.com/start/%3Fc%3Dexperiment%26t%3Demailtemplate2019-09%26s%3Dddc.sr%2540chase.com%26p%3D7db6612f-a3dd-473a-95ad-f5289da77171%23v%3D3.0.0%26d%3Dhttps%253A%252F%252Fapi.virtru.com%252Fstorage%252Fapi%252Fpolicies%252F7db6612f-a3dd-473a-95ad-f5289da77171%252Fdata%252Fmetadata%26dk%3DoebNRZyiVlMa6AoTyAKeCwLGpwgdjLHhM1YiU6zqddU%253D&E=jwyland%40woodlandsbank.com&X=XID390dcbRyp9059Xd1&T=WDLP&HV=U,E,X,T&H=ec39b06efb6207f560ffe0a7da20e1335f9cfff7	Get hash	malicious	Unknown	Browse	34.160.98.162
	https://issuu.com/tylockgeorge/docs/gf-007733281?fr=sYmZjNDgzOTA5MjY	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	57.144.180.1
	https://url.us.m.mimecastprotect.com/s/RCIkCyPJBYF0OAoruZfnUxNKPR?domain=issuu.com	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	57.144.180.1
	https://briggsandstratton.login-usb.mimecast.com/u/login/?gta=secure&tkn=3.AP6_gtafyD5PTk8Aevs7qWMs7rB-RgGOOAKjDD6Jp5jm6n3ECvVIZPaSlRslpe0yv7DdQAhFJCSa--KRirpg9vlymGkSVGUQ63wUGFYsG3Fzz2ibtSIyhA08Z5SvCFfw.5XaglCTBXgq_lRG5w_yCsQ	Get hash	malicious	Unknown	Browse	34.36.213.229
	https://openrefine.org/download	Get hash	malicious	Unknown	Browse	34.54.88.138
	ATT02683-1.pdf	Get hash	malicious	Unknown	Browse	34.149.73.226
	https://app.eraser.io/workspace/ISn1eLCg7dzDBCScfS1e?origin=share	Get hash	malicious	Unknown	Browse	34.8.177.196
	http://ergonperizie.notion.site/1c3e29532f0a808e8960ccaa2fe479e5	Get hash	malicious	HTMLPhisher	Browse	57.144.180.128
	https://innovation-platform-6635.my.salesforce-sites.com/sec	Get hash	malicious	HTMLPhisher	Browse	34.49.212.111
ATT-INTERNET4US	A_W-NP_packetstream.exe	Get hash	malicious	Unknown	Browse	209.38.174.165
	A_W-NP_packetstream.exe	Get hash	malicious	Unknown	Browse	209.38.174.165
	bimbo-m68k.elf	Get hash	malicious	Unknown	Browse	63.192.66.211
	bimbo-mpsl.elf	Get hash	malicious	Unknown	Browse	12.38.242.165
	bimbo-arm.elf	Get hash	malicious	Unknown	Browse	75.3.79.141
	bimbo-ppc.elf	Get hash	malicious	Unknown	Browse	12.198.36.114
	bimbo-spc.elf	Get hash	malicious	Unknown	Browse	74.185.28.70
	bimbo-x86.elf	Get hash	malicious	Unknown	Browse	172.182.199.18
	bimbo-mips.elf	Get hash	malicious	Unknown	Browse	68.252.41.131
	k03ldc.arm.elf	Get hash	malicious	Unknown	Browse	65.64.249.114

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	GeW4GzT8G8.dll	Get hash	malicious	Virut, Wannacry	Browse
	JRTn7b1kHg.dll	Get hash	malicious	Wannacry	Browse
	S8LDvVdtOk.dll	Get hash	malicious	Wannacry	Browse
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse
	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse
	zyeX8bTkky.dll	Get hash	malicious	Wannacry	Browse
	qt680eucI4.dll	Get hash	malicious	Wannacry	Browse
	1w3BDu68Sg.dll	Get hash	malicious	Wannacry	Browse
	qCc1a4w5YZ.exe	Get hash	malicious	Wannacry	Browse
	stN592INV6.exe	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\mssecsvc.exe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: GeW4GzT8G8.dll, Detection: malicious, Browse Filename: JRTn7b1kHg.dll, Detection: malicious, Browse Filename: S8LDvVdtOk.dll, Detection: malicious, Browse Filename: 9nNO3SHiV1.dll, Detection: malicious, Browse Filename: zbRmQrzaHY.dll, Detection: malicious, Browse Filename: zyeX8bTkky.dll, Detection: malicious, Browse Filename: qt680eucI4.dll, Detection: malicious, Browse Filename: 1w3BDu68Sg.dll, Detection: malicious, Browse Filename: qCc1a4w5YZ.exe, Detection: malicious, Browse Filename: stN592INV6.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.965905243891064
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mssecsvc.exe.exe
File size:	3'723'264 bytes
MD5:	0c694193ceac8bfb016491ffb534eb7c
SHA1:	3afa73283d1e17de1bde6cc14e19417e70fc9554
SHA256:	dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b
SHA512:	bfa729e9449c0a438cfb51fc9f4314022b2f18092938fd42702a06246edc865db77327399a8d21cc1fa208a99e3436e4a460cb010e428caddc638c3fa6547afb
SSDEEP:	98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqPe1Cxcxk3ZAEUadzR8yc4HI
TLSH:	19063394612CB2FCF0440EB44473896AB7B33C69A7BA5E1F9BC086670D53B5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F2EB07F5D31h
cmp dword ptr [00431410h], ebx
jne 00007F2EB07F5C1Eh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F2EB07F5D03h
push 0040B010h
push 0040B00Ch
call 00007F2EB07F5CEEh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F2EB07F5CBBh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x35a454	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8bca	0x9000	799fa6f54ef4176da2990896faea65d8	False	0.534423828125	data	6.1345234015658825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	d8037d744b539326c06e897625751cc9	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	22a8598dc29cad7078c291e94612ce26	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x35a454	0x35b000	a19437cf29a158eae9109b8ecb75975d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States	0.9710664749145508
RT_VERSION	0x66a0a4	0x3b0	data	English	United States	1.0116525423728813

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-28T22:13:26.695035+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.22	54562	8.8.8.8	53	UDP
2025-03-28T22:13:26.998238+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:26.998238+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:26.998238+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:26.998238+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:26.998238+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.22	49161	104.16.166.228	80	TCP
2025-03-28T22:13:26.998295+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.22	49161	TCP
2025-03-28T22:13:27.565802+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.22	52917	8.8.8.8	53	UDP
2025-03-28T22:13:27.867162+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.22	49162	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.22	49162	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.22	49162	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.22	49162	104.16.166.228	80	TCP
2025-03-28T22:13:27.867162+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.22	49162	104.16.166.228	80	TCP
2025-03-28T22:13:27.867818+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.22	49162	TCP

Network Port Distribution

Total Packets: 999
• 445 (Microsoft-DS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2025 22:13:26.812019110 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:26.896403074 CET	80	49161	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:26.896492004 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:26.896770954 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:26.981064081 CET	80	49161	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:26.998145103 CET	80	49161	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:26.998238087 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:26.998295069 CET	80	49161	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:26.998341084 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.015580893 CET	49161	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.099975109 CET	80	49161	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:27.656785011 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.740268946 CET	80	49162	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:27.740335941 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.765008926 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.850300074 CET	80	49162	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:27.867098093 CET	80	49162	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:27.867161989 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.867818117 CET	80	49162	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:27.867875099 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.874833107 CET	49162	80	192.168.2.22	104.16.166.228
Mar 28, 2025 22:13:27.897934914 CET	49163	445	192.168.2.22	179.149.119.240
Mar 28, 2025 22:13:27.958687067 CET	80	49162	104.16.166.228	192.168.2.22
Mar 28, 2025 22:13:29.007746935 CET	49176	445	192.168.2.22	5.161.3.226
Mar 28, 2025 22:13:29.898066044 CET	49187	445	192.168.2.22	41.249.225.248
Mar 28, 2025 22:13:30.132015944 CET	49188	445	192.168.2.22	60.243.179.166
Mar 28, 2025 22:13:31.051357031 CET	49200	445	192.168.2.22	74.10.148.155
Mar 28, 2025 22:13:31.254194975 CET	49203	445	192.168.2.22	46.78.169.146
Mar 28, 2025 22:13:31.917346954 CET	49211	445	192.168.2.22	197.18.246.111
Mar 28, 2025 22:13:32.174642086 CET	49214	445	192.168.2.22	197.154.3.137
Mar 28, 2025 22:13:32.377566099 CET	49216	445	192.168.2.22	184.42.88.36
Mar 28, 2025 22:13:33.032850981 CET	49224	445	192.168.2.22	50.103.164.43
Mar 28, 2025 22:13:33.298491001 CET	49229	445	192.168.2.22	219.79.251.133
Mar 28, 2025 22:13:33.500845909 CET	49231	445	192.168.2.22	110.137.80.58
Mar 28, 2025 22:13:33.923280001 CET	49239	445	192.168.2.22	11.80.13.222
Mar 28, 2025 22:13:34.155889034 CET	49242	445	192.168.2.22	173.48.34.114
Mar 28, 2025 22:13:34.421067953 CET	49244	445	192.168.2.22	207.193.131.196
Mar 28, 2025 22:13:34.623821974 CET	49247	445	192.168.2.22	76.85.155.151
Mar 28, 2025 22:13:35.045094967 CET	49254	445	192.168.2.22	105.153.176.87
Mar 28, 2025 22:13:35.279028893 CET	49257	445	192.168.2.22	143.95.188.165
Mar 28, 2025 22:13:35.544378996 CET	49259	445	192.168.2.22	201.11.248.31
Mar 28, 2025 22:13:35.747322083 CET	49262	445	192.168.2.22	92.139.187.164
Mar 28, 2025 22:13:35.935193062 CET	49265	445	192.168.2.22	206.70.205.171
Mar 28, 2025 22:13:36.168174982 CET	49270	445	192.168.2.22	177.35.175.109
Mar 28, 2025 22:13:36.402201891 CET	49273	445	192.168.2.22	149.136.152.42
Mar 28, 2025 22:13:36.667462111 CET	49275	445	192.168.2.22	193.167.47.61
Mar 28, 2025 22:13:36.870326996 CET	49278	445	192.168.2.22	31.165.163.7
Mar 28, 2025 22:13:37.057884932 CET	49281	445	192.168.2.22	160.195.89.246
Mar 28, 2025 22:13:37.291415930 CET	49286	445	192.168.2.22	25.26.63.98
Mar 28, 2025 22:13:37.525475979 CET	49289	445	192.168.2.22	15.243.91.206
Mar 28, 2025 22:13:37.790760994 CET	49291	445	192.168.2.22	199.114.150.9
Mar 28, 2025 22:13:37.947860003 CET	49294	445	192.168.2.22	66.31.1.205
Mar 28, 2025 22:13:37.993495941 CET	49296	445	192.168.2.22	156.145.178.95
Mar 28, 2025 22:13:38.180711031 CET	49300	445	192.168.2.22	185.27.29.32
Mar 28, 2025 22:13:38.414688110 CET	49303	445	192.168.2.22	194.147.16.167
Mar 28, 2025 22:13:38.648663998 CET	49307	445	192.168.2.22	6.125.30.242
Mar 28, 2025 22:13:38.913952112 CET	49308	445	192.168.2.22	149.180.173.172
Mar 28, 2025 22:13:39.069796085 CET	49311	445	192.168.2.22	43.26.27.7
Mar 28, 2025 22:13:39.116724968 CET	49313	445	192.168.2.22	188.92.66.47
Mar 28, 2025 22:13:39.303988934 CET	49317	445	192.168.2.22	7.74.55.124
Mar 28, 2025 22:13:39.537976980 CET	49320	445	192.168.2.22	70.38.197.97
Mar 28, 2025 22:13:39.771815062 CET	49324	445	192.168.2.22	119.41.187.169
Mar 28, 2025 22:13:39.960212946 CET	49325	445	192.168.2.22	53.33.231.37
Mar 28, 2025 22:13:40.037031889 CET	49327	445	192.168.2.22	187.49.66.157
Mar 28, 2025 22:13:40.193061113 CET	49329	445	192.168.2.22	24.207.133.106
Mar 28, 2025 22:13:40.240475893 CET	49331	445	192.168.2.22	117.62.196.67
Mar 28, 2025 22:13:40.427160025 CET	49335	445	192.168.2.22	122.166.104.87
Mar 28, 2025 22:13:40.661109924 CET	49339	445	192.168.2.22	75.59.51.134
Mar 28, 2025 22:13:40.895139933 CET	49342	445	192.168.2.22	41.123.182.192
Mar 28, 2025 22:13:41.082201958 CET	49344	445	192.168.2.22	113.90.248.144
Mar 28, 2025 22:13:41.160212994 CET	49345	445	192.168.2.22	148.134.135.3
Mar 28, 2025 22:13:41.316350937 CET	49348	445	192.168.2.22	1.165.181.98
Mar 28, 2025 22:13:41.363159895 CET	49350	445	192.168.2.22	168.55.217.78
Mar 28, 2025 22:13:41.550343990 CET	49354	445	192.168.2.22	1.165.100.74
Mar 28, 2025 22:13:41.784269094 CET	49357	445	192.168.2.22	174.55.128.32
Mar 28, 2025 22:13:41.971725941 CET	49360	445	192.168.2.22	220.29.156.26
Mar 28, 2025 22:13:42.018215895 CET	49361	445	192.168.2.22	130.244.121.188
Mar 28, 2025 22:13:42.205485106 CET	49363	445	192.168.2.22	120.13.28.253
Mar 28, 2025 22:13:42.283406019 CET	49364	445	192.168.2.22	174.78.90.36
Mar 28, 2025 22:13:42.439479113 CET	49367	445	192.168.2.22	199.225.245.161
Mar 28, 2025 22:13:42.486160040 CET	49369	445	192.168.2.22	169.225.211.231
Mar 28, 2025 22:13:42.673567057 CET	49373	445	192.168.2.22	79.120.121.88
Mar 28, 2025 22:13:42.907396078 CET	49376	445	192.168.2.22	7.183.154.32
Mar 28, 2025 22:13:43.094516039 CET	49379	445	192.168.2.22	202.138.100.114
Mar 28, 2025 22:13:43.141357899 CET	49380	445	192.168.2.22	16.13.30.135
Mar 28, 2025 22:13:43.328836918 CET	49382	445	192.168.2.22	124.148.8.236
Mar 28, 2025 22:13:43.406661034 CET	49384	445	192.168.2.22	105.228.76.67
Mar 28, 2025 22:13:43.585227966 CET	49387	445	192.168.2.22	152.163.32.169
Mar 28, 2025 22:13:43.609450102 CET	49388	445	192.168.2.22	15.201.178.168
Mar 28, 2025 22:13:43.796762943 CET	49392	445	192.168.2.22	20.30.150.187
Mar 28, 2025 22:13:43.984184980 CET	49394	445	192.168.2.22	197.203.173.195
Mar 28, 2025 22:13:44.030601978 CET	49396	445	192.168.2.22	96.81.82.135
Mar 28, 2025 22:13:44.217835903 CET	49399	445	192.168.2.22	34.238.48.77
Mar 28, 2025 22:13:44.324876070 CET	49400	445	192.168.2.22	151.14.212.165
Mar 28, 2025 22:13:44.454633951 CET	49402	445	192.168.2.22	148.229.217.69
Mar 28, 2025 22:13:44.530853987 CET	49404	445	192.168.2.22	195.147.120.80
Mar 28, 2025 22:13:44.701452017 CET	49408	445	192.168.2.22	119.91.210.129
Mar 28, 2025 22:13:44.732626915 CET	49410	445	192.168.2.22	207.106.28.14
Mar 28, 2025 22:13:44.919825077 CET	49413	445	192.168.2.22	55.245.252.132
Mar 28, 2025 22:13:45.106952906 CET	49416	445	192.168.2.22	189.209.116.60
Mar 28, 2025 22:13:45.153925896 CET	49418	445	192.168.2.22	41.238.172.233
Mar 28, 2025 22:13:45.341070890 CET	49419	445	192.168.2.22	4.84.0.61
Mar 28, 2025 22:13:45.450221062 CET	49421	445	192.168.2.22	214.24.149.164
Mar 28, 2025 22:13:45.575120926 CET	49422	445	192.168.2.22	123.18.170.237
Mar 28, 2025 22:13:45.653009892 CET	49424	445	192.168.2.22	98.151.217.175
Mar 28, 2025 22:13:45.824590921 CET	49428	445	192.168.2.22	105.178.220.183
Mar 28, 2025 22:13:45.855813980 CET	49429	445	192.168.2.22	148.39.0.26
Mar 28, 2025 22:13:45.996299982 CET	49433	445	192.168.2.22	60.194.22.156
Mar 28, 2025 22:13:46.043176889 CET	49434	445	192.168.2.22	159.234.222.237
Mar 28, 2025 22:13:46.230178118 CET	49438	445	192.168.2.22	73.147.49.137
Mar 28, 2025 22:13:46.277045965 CET	49439	445	192.168.2.22	123.131.59.57
Mar 28, 2025 22:13:46.464360952 CET	49441	445	192.168.2.22	184.88.152.97
Mar 28, 2025 22:13:46.573539019 CET	49442	445	192.168.2.22	20.28.170.20
Mar 28, 2025 22:13:46.698235989 CET	49443	445	192.168.2.22	88.53.76.71
Mar 28, 2025 22:13:46.776209116 CET	49445	445	192.168.2.22	193.62.156.36
Mar 28, 2025 22:13:46.948220015 CET	49449	445	192.168.2.22	79.171.69.105
Mar 28, 2025 22:13:46.979208946 CET	49450	445	192.168.2.22	1.239.5.200
Mar 28, 2025 22:13:47.120795965 CET	49453	445	192.168.2.22	31.117.66.175
Mar 28, 2025 22:13:47.168914080 CET	49455	445	192.168.2.22	171.73.152.92
Mar 28, 2025 22:13:47.355230093 CET	49459	445	192.168.2.22	181.94.75.76
Mar 28, 2025 22:13:47.406860113 CET	49460	445	192.168.2.22	27.120.100.183
Mar 28, 2025 22:13:47.590503931 CET	49462	445	192.168.2.22	122.58.126.15
Mar 28, 2025 22:13:47.699323893 CET	49463	445	192.168.2.22	218.146.212.110
Mar 28, 2025 22:13:47.821695089 CET	49465	445	192.168.2.22	110.172.80.85
Mar 28, 2025 22:13:47.899441004 CET	49466	445	192.168.2.22	62.185.251.241
Mar 28, 2025 22:13:48.008706093 CET	49469	445	192.168.2.22	47.217.200.31
Mar 28, 2025 22:13:48.071049929 CET	49471	445	192.168.2.22	218.138.187.213
Mar 28, 2025 22:13:48.102551937 CET	49472	445	192.168.2.22	142.239.251.76
Mar 28, 2025 22:13:48.242666960 CET	49476	445	192.168.2.22	204.32.121.17
Mar 28, 2025 22:13:48.289539099 CET	49477	445	192.168.2.22	141.175.149.49
Mar 28, 2025 22:13:48.476635933 CET	49481	445	192.168.2.22	21.63.180.101
Mar 28, 2025 22:13:48.523544073 CET	49482	445	192.168.2.22	120.107.118.33
Mar 28, 2025 22:13:48.710716963 CET	49484	445	192.168.2.22	75.137.181.145
Mar 28, 2025 22:13:48.819924116 CET	49485	445	192.168.2.22	118.108.63.98
Mar 28, 2025 22:13:48.944761038 CET	49487	445	192.168.2.22	216.159.85.220
Mar 28, 2025 22:13:49.022763968 CET	49488	445	192.168.2.22	195.188.243.7
Mar 28, 2025 22:13:49.131767035 CET	49491	445	192.168.2.22	88.174.211.137
Mar 28, 2025 22:13:49.194215059 CET	49493	445	192.168.2.22	71.83.121.60
Mar 28, 2025 22:13:49.225405931 CET	49494	445	192.168.2.22	51.18.108.58
Mar 28, 2025 22:13:49.365928888 CET	49498	445	192.168.2.22	51.90.227.172
Mar 28, 2025 22:13:49.413614035 CET	49499	445	192.168.2.22	101.110.219.96
Mar 28, 2025 22:13:49.599847078 CET	49503	445	192.168.2.22	63.94.226.140
Mar 28, 2025 22:13:49.646697044 CET	49504	445	192.168.2.22	8.71.91.91
Mar 28, 2025 22:13:49.833899975 CET	49506	445	192.168.2.22	167.189.200.101
Mar 28, 2025 22:13:49.960014105 CET	49507	445	192.168.2.22	212.44.72.209
Mar 28, 2025 22:13:50.028090954 CET	49509	445	192.168.2.22	183.149.227.148
Mar 28, 2025 22:13:50.068206072 CET	49510	445	192.168.2.22	193.140.205.131
Mar 28, 2025 22:13:50.148314953 CET	49511	445	192.168.2.22	193.57.176.125
Mar 28, 2025 22:13:50.257467985 CET	49514	445	192.168.2.22	68.154.153.234
Mar 28, 2025 22:13:50.317810059 CET	49516	445	192.168.2.22	16.251.104.223
Mar 28, 2025 22:13:50.352611065 CET	49517	445	192.168.2.22	116.151.102.168
Mar 28, 2025 22:13:50.489144087 CET	49521	445	192.168.2.22	2.186.65.81
Mar 28, 2025 22:13:50.536037922 CET	49522	445	192.168.2.22	36.74.206.57
Mar 28, 2025 22:13:50.723254919 CET	49526	445	192.168.2.22	164.61.205.169
Mar 28, 2025 22:13:50.769944906 CET	49527	445	192.168.2.22	198.172.240.205
Mar 28, 2025 22:13:50.957025051 CET	49529	445	192.168.2.22	93.12.253.31
Mar 28, 2025 22:13:51.081834078 CET	49531	445	192.168.2.22	19.29.137.244
Mar 28, 2025 22:13:51.144167900 CET	49532	445	192.168.2.22	139.189.11.160
Mar 28, 2025 22:13:51.191212893 CET	49533	445	192.168.2.22	82.93.181.178
Mar 28, 2025 22:13:51.269089937 CET	49534	445	192.168.2.22	13.238.197.114
Mar 28, 2025 22:13:51.378145933 CET	49537	445	192.168.2.22	84.172.176.246
Mar 28, 2025 22:13:51.440654039 CET	49539	445	192.168.2.22	179.179.108.29
Mar 28, 2025 22:13:51.471824884 CET	49540	445	192.168.2.22	182.213.185.55
Mar 28, 2025 22:13:51.612433910 CET	49544	445	192.168.2.22	82.141.231.90
Mar 28, 2025 22:13:51.659259081 CET	49545	445	192.168.2.22	41.94.210.46
Mar 28, 2025 22:13:51.846312046 CET	49549	445	192.168.2.22	99.174.244.233
Mar 28, 2025 22:13:52.033839941 CET	49552	445	192.168.2.22	186.180.179.65
Mar 28, 2025 22:13:52.080276012 CET	49554	445	192.168.2.22	54.31.142.49
Mar 28, 2025 22:13:52.205276966 CET	49555	445	192.168.2.22	58.102.174.6
Mar 28, 2025 22:13:52.267576933 CET	49556	445	192.168.2.22	124.139.246.184
Mar 28, 2025 22:13:52.314368010 CET	49557	445	192.168.2.22	218.64.104.126
Mar 28, 2025 22:13:52.392319918 CET	49559	445	192.168.2.22	134.160.150.158
Mar 28, 2025 22:13:52.501679897 CET	49562	445	192.168.2.22	132.221.185.37
Mar 28, 2025 22:13:52.566391945 CET	49564	445	192.168.2.22	186.221.76.216
Mar 28, 2025 22:13:52.595077038 CET	49566	445	192.168.2.22	88.143.91.35
Mar 28, 2025 22:13:52.735485077 CET	49568	445	192.168.2.22	16.116.78.208
Mar 28, 2025 22:13:52.788114071 CET	49569	445	192.168.2.22	162.251.130.244
Mar 28, 2025 22:13:52.971431971 CET	49573	445	192.168.2.22	7.6.97.154
Mar 28, 2025 22:13:53.016390085 CET	49574	445	192.168.2.22	98.233.164.168
Mar 28, 2025 22:13:53.162344933 CET	49577	445	192.168.2.22	78.11.62.65
Mar 28, 2025 22:13:53.203995943 CET	49578	445	192.168.2.22	11.164.73.11
Mar 28, 2025 22:13:53.369350910 CET	49579	445	192.168.2.22	32.158.251.29
Mar 28, 2025 22:13:53.390619040 CET	49581	445	192.168.2.22	185.168.65.222
Mar 28, 2025 22:13:53.437482119 CET	49583	445	192.168.2.22	83.218.187.193
Mar 28, 2025 22:13:53.515522957 CET	49584	445	192.168.2.22	211.65.232.156
Mar 28, 2025 22:13:53.624593973 CET	49585	445	192.168.2.22	136.123.114.166
Mar 28, 2025 22:13:53.687119961 CET	49586	445	192.168.2.22	204.133.149.2
Mar 28, 2025 22:13:53.718234062 CET	49587	445	192.168.2.22	174.29.217.201
Mar 28, 2025 22:13:53.858628035 CET	49588	445	192.168.2.22	67.131.5.11
Mar 28, 2025 22:13:53.905594110 CET	49589	445	192.168.2.22	42.77.207.228
Mar 28, 2025 22:13:54.046173096 CET	49590	445	192.168.2.22	100.102.173.178
Mar 28, 2025 22:13:54.092794895 CET	49591	445	192.168.2.22	214.58.9.29
Mar 28, 2025 22:13:54.139468908 CET	49592	445	192.168.2.22	181.162.25.84
Mar 28, 2025 22:13:54.279815912 CET	49593	445	192.168.2.22	141.136.94.45
Mar 28, 2025 22:13:54.326674938 CET	49594	445	192.168.2.22	121.63.211.142
Mar 28, 2025 22:13:54.483028889 CET	49595	445	192.168.2.22	130.73.209.40
Mar 28, 2025 22:13:54.522900105 CET	49596	445	192.168.2.22	8.201.179.173
Mar 28, 2025 22:13:54.565586090 CET	49597	445	192.168.2.22	180.62.33.214
Mar 28, 2025 22:13:54.638614893 CET	49598	445	192.168.2.22	40.250.238.166
Mar 28, 2025 22:13:54.748037100 CET	49599	445	192.168.2.22	16.137.24.138
Mar 28, 2025 22:13:54.810631990 CET	49600	445	192.168.2.22	13.130.184.21
Mar 28, 2025 22:13:54.841661930 CET	49601	445	192.168.2.22	41.195.14.54
Mar 28, 2025 22:13:54.984015942 CET	49602	445	192.168.2.22	18.106.91.72
Mar 28, 2025 22:13:55.028920889 CET	49603	445	192.168.2.22	50.4.175.155
Mar 28, 2025 22:13:55.169018984 CET	49604	445	192.168.2.22	191.190.41.37
Mar 28, 2025 22:13:55.215787888 CET	49605	445	192.168.2.22	102.113.230.17
Mar 28, 2025 22:13:55.262608051 CET	49606	445	192.168.2.22	221.153.135.51
Mar 28, 2025 22:13:55.403026104 CET	49607	445	192.168.2.22	6.23.58.202
Mar 28, 2025 22:13:55.449784040 CET	49608	445	192.168.2.22	61.0.40.163
Mar 28, 2025 22:13:55.605910063 CET	49609	445	192.168.2.22	58.254.36.48
Mar 28, 2025 22:13:55.636991024 CET	49610	445	192.168.2.22	219.253.192.186
Mar 28, 2025 22:13:55.683871984 CET	49611	445	192.168.2.22	138.237.254.188
Mar 28, 2025 22:13:55.762020111 CET	49612	445	192.168.2.22	90.235.143.136
Mar 28, 2025 22:13:55.871249914 CET	49613	445	192.168.2.22	110.151.72.78
Mar 28, 2025 22:13:55.933875084 CET	49614	445	192.168.2.22	122.155.112.79
Mar 28, 2025 22:13:55.964827061 CET	49615	445	192.168.2.22	19.208.149.37
Mar 28, 2025 22:13:56.058657885 CET	49616	445	192.168.2.22	147.23.59.218
Mar 28, 2025 22:13:56.104964018 CET	49617	445	192.168.2.22	214.41.214.9
Mar 28, 2025 22:13:56.151983976 CET	49618	445	192.168.2.22	46.233.70.54
Mar 28, 2025 22:13:56.292268991 CET	49619	445	192.168.2.22	192.102.190.157
Mar 28, 2025 22:13:56.339226961 CET	49620	445	192.168.2.22	104.162.131.240
Mar 28, 2025 22:13:56.386023045 CET	49621	445	192.168.2.22	43.40.212.164
Mar 28, 2025 22:13:56.526415110 CET	49622	445	192.168.2.22	99.184.92.83
Mar 28, 2025 22:13:56.573026896 CET	49623	445	192.168.2.22	191.38.220.79
Mar 28, 2025 22:13:56.729121923 CET	49624	445	192.168.2.22	139.16.199.207
Mar 28, 2025 22:13:56.760201931 CET	49625	445	192.168.2.22	107.20.195.27
Mar 28, 2025 22:13:56.807054043 CET	49626	445	192.168.2.22	89.193.167.201
Mar 28, 2025 22:13:56.885080099 CET	49627	445	192.168.2.22	55.155.99.34
Mar 28, 2025 22:13:56.994226933 CET	49628	445	192.168.2.22	217.149.225.63
Mar 28, 2025 22:13:57.056763887 CET	49629	445	192.168.2.22	110.56.93.122
Mar 28, 2025 22:13:57.088026047 CET	49630	445	192.168.2.22	91.42.124.173
Mar 28, 2025 22:13:57.181493998 CET	49631	445	192.168.2.22	142.149.151.128
Mar 28, 2025 22:13:57.228369951 CET	49632	445	192.168.2.22	15.81.151.12
Mar 28, 2025 22:13:57.415407896 CET	49634	445	192.168.2.22	172.248.128.9
Mar 28, 2025 22:13:57.462840080 CET	49635	445	192.168.2.22	56.37.34.1
Mar 28, 2025 22:13:57.509145975 CET	49636	445	192.168.2.22	148.80.94.23
Mar 28, 2025 22:13:57.649411917 CET	49637	445	192.168.2.22	64.184.145.108
Mar 28, 2025 22:13:57.696476936 CET	49638	445	192.168.2.22	103.9.198.209
Mar 28, 2025 22:13:57.874407053 CET	49639	445	192.168.2.22	52.146.43.194
Mar 28, 2025 22:13:57.883416891 CET	49640	445	192.168.2.22	101.131.133.124
Mar 28, 2025 22:13:57.932275057 CET	49641	445	192.168.2.22	7.201.98.157
Mar 28, 2025 22:13:58.009708881 CET	49642	445	192.168.2.22	137.178.21.76
Mar 28, 2025 22:13:58.071898937 CET	49643	445	192.168.2.22	123.24.167.14
Mar 28, 2025 22:13:58.117700100 CET	49644	445	192.168.2.22	51.160.249.190
Mar 28, 2025 22:13:58.179950953 CET	49645	445	192.168.2.22	59.52.193.102
Mar 28, 2025 22:13:58.213284016 CET	49646	445	192.168.2.22	172.31.215.203
Mar 28, 2025 22:13:58.307979107 CET	49647	445	192.168.2.22	175.210.209.52
Mar 28, 2025 22:13:58.353734970 CET	49648	445	192.168.2.22	44.57.91.176
Mar 28, 2025 22:13:58.399719000 CET	49649	445	192.168.2.22	170.91.159.85
Mar 28, 2025 22:13:58.554502964 CET	49650	445	192.168.2.22	65.243.62.49
Mar 28, 2025 22:13:58.585500956 CET	49651	445	192.168.2.22	136.72.77.194
Mar 28, 2025 22:13:58.632281065 CET	49652	445	192.168.2.22	51.15.138.20
Mar 28, 2025 22:13:58.772965908 CET	49653	445	192.168.2.22	132.52.241.92
Mar 28, 2025 22:13:58.819442034 CET	49654	445	192.168.2.22	184.252.102.107
Mar 28, 2025 22:13:58.991123915 CET	49655	445	192.168.2.22	188.223.105.34
Mar 28, 2025 22:13:59.006740093 CET	49656	445	192.168.2.22	135.119.166.112
Mar 28, 2025 22:13:59.053524017 CET	49657	445	192.168.2.22	204.101.164.38
Mar 28, 2025 22:13:59.131546021 CET	49658	445	192.168.2.22	215.223.189.242
Mar 28, 2025 22:13:59.193906069 CET	49659	445	192.168.2.22	200.221.215.52
Mar 28, 2025 22:13:59.240639925 CET	49660	445	192.168.2.22	101.231.136.50
Mar 28, 2025 22:13:59.303147078 CET	49661	445	192.168.2.22	69.15.235.157
Mar 28, 2025 22:13:59.334353924 CET	49662	445	192.168.2.22	206.199.118.37
Mar 28, 2025 22:13:59.427892923 CET	49663	445	192.168.2.22	134.165.62.75
Mar 28, 2025 22:13:59.474589109 CET	49664	445	192.168.2.22	67.90.159.8
Mar 28, 2025 22:13:59.521841049 CET	49665	445	192.168.2.22	138.167.78.159
Mar 28, 2025 22:13:59.677762985 CET	49666	445	192.168.2.22	113.68.63.111
Mar 28, 2025 22:13:59.708920956 CET	49667	445	192.168.2.22	39.218.87.14
Mar 28, 2025 22:13:59.755542994 CET	49668	445	192.168.2.22	128.122.125.160
Mar 28, 2025 22:13:59.895787954 CET	49669	445	192.168.2.22	157.80.175.69
Mar 28, 2025 22:13:59.942694902 CET	49670	445	192.168.2.22	168.116.240.71
Mar 28, 2025 22:14:00.083394051 CET	49671	445	192.168.2.22	105.155.64.121
Mar 28, 2025 22:14:00.130033016 CET	49672	445	192.168.2.22	70.126.197.199
Mar 28, 2025 22:14:00.142781973 CET	49673	445	192.168.2.22	207.142.99.93
Mar 28, 2025 22:14:00.176738977 CET	49674	445	192.168.2.22	203.251.211.135
Mar 28, 2025 22:14:00.270360947 CET	49675	445	192.168.2.22	53.86.52.241
Mar 28, 2025 22:14:00.317291975 CET	49676	445	192.168.2.22	39.143.132.2
Mar 28, 2025 22:14:00.364094019 CET	49677	445	192.168.2.22	102.10.60.172
Mar 28, 2025 22:14:00.426414013 CET	49678	445	192.168.2.22	14.65.166.75
Mar 28, 2025 22:14:00.457520008 CET	49679	445	192.168.2.22	186.199.106.217
Mar 28, 2025 22:14:00.551045895 CET	49680	445	192.168.2.22	134.104.202.207
Mar 28, 2025 22:14:00.598093033 CET	49681	445	192.168.2.22	28.189.233.238
Mar 28, 2025 22:14:00.645018101 CET	49682	445	192.168.2.22	111.172.226.171
Mar 28, 2025 22:14:00.800992966 CET	49683	445	192.168.2.22	83.222.160.55
Mar 28, 2025 22:14:00.839031935 CET	49684	445	192.168.2.22	118.227.38.237
Mar 28, 2025 22:14:00.879075050 CET	49685	445	192.168.2.22	80.2.190.238
Mar 28, 2025 22:14:01.019063950 CET	49686	445	192.168.2.22	142.127.200.55
Mar 28, 2025 22:14:01.065855980 CET	49687	445	192.168.2.22	119.166.214.194
Mar 28, 2025 22:14:01.206253052 CET	49688	445	192.168.2.22	67.27.114.56
Mar 28, 2025 22:14:01.253233910 CET	49690	445	192.168.2.22	29.241.159.3
Mar 28, 2025 22:14:01.253257990 CET	49689	445	192.168.2.22	144.153.72.99
Mar 28, 2025 22:14:01.300101995 CET	49691	445	192.168.2.22	119.188.114.169
Mar 28, 2025 22:14:01.393846989 CET	49692	445	192.168.2.22	111.23.77.181
Mar 28, 2025 22:14:01.440413952 CET	49693	445	192.168.2.22	84.213.184.157
Mar 28, 2025 22:14:01.487163067 CET	49694	445	192.168.2.22	26.128.52.149
Mar 28, 2025 22:14:01.550029993 CET	49695	445	192.168.2.22	47.101.231.189
Mar 28, 2025 22:14:01.580656052 CET	49696	445	192.168.2.22	2.186.251.13
Mar 28, 2025 22:14:01.674597025 CET	49697	445	192.168.2.22	170.238.136.160
Mar 28, 2025 22:14:01.721375942 CET	49698	445	192.168.2.22	219.252.100.94
Mar 28, 2025 22:14:01.768142939 CET	49699	445	192.168.2.22	107.184.141.204
Mar 28, 2025 22:14:01.924108028 CET	49700	445	192.168.2.22	51.132.213.203
Mar 28, 2025 22:14:01.955028057 CET	49701	445	192.168.2.22	183.184.185.12
Mar 28, 2025 22:14:02.002082109 CET	49702	445	192.168.2.22	143.63.72.228
Mar 28, 2025 22:14:02.096129894 CET	49703	445	192.168.2.22	157.190.27.125
Mar 28, 2025 22:14:02.142443895 CET	49704	445	192.168.2.22	91.54.57.35
Mar 28, 2025 22:14:02.189491034 CET	49705	445	192.168.2.22	179.1.182.81
Mar 28, 2025 22:14:02.329437017 CET	49706	445	192.168.2.22	118.112.108.157
Mar 28, 2025 22:14:02.376250029 CET	49707	445	192.168.2.22	7.100.71.236
Mar 28, 2025 22:14:02.376549006 CET	49708	445	192.168.2.22	193.212.69.125
Mar 28, 2025 22:14:02.423078060 CET	49709	445	192.168.2.22	139.224.234.12
Mar 28, 2025 22:14:02.518691063 CET	49710	445	192.168.2.22	111.163.210.91
Mar 28, 2025 22:14:02.564425945 CET	49711	445	192.168.2.22	165.14.229.233
Mar 28, 2025 22:14:02.610213041 CET	49712	445	192.168.2.22	190.55.60.36
Mar 28, 2025 22:14:02.672632933 CET	49713	445	192.168.2.22	63.22.12.114
Mar 28, 2025 22:14:02.703826904 CET	49714	445	192.168.2.22	120.220.204.128
Mar 28, 2025 22:14:02.844460011 CET	49715	445	192.168.2.22	163.21.38.223
Mar 28, 2025 22:14:02.844542027 CET	49716	445	192.168.2.22	63.66.14.81
Mar 28, 2025 22:14:02.891247034 CET	49717	445	192.168.2.22	185.121.158.241
Mar 28, 2025 22:14:03.047060966 CET	49718	445	192.168.2.22	121.227.60.152
Mar 28, 2025 22:14:03.078248978 CET	49719	445	192.168.2.22	105.188.18.126
Mar 28, 2025 22:14:03.130176067 CET	49720	445	192.168.2.22	17.11.229.29
Mar 28, 2025 22:14:03.221754074 CET	49721	445	192.168.2.22	119.227.153.127
Mar 28, 2025 22:14:03.265835047 CET	49722	445	192.168.2.22	81.112.88.240
Mar 28, 2025 22:14:03.313607931 CET	49723	445	192.168.2.22	151.239.25.241
Mar 28, 2025 22:14:03.452584982 CET	49724	445	192.168.2.22	32.19.99.89
Mar 28, 2025 22:14:03.499583006 CET	49725	445	192.168.2.22	215.131.137.201
Mar 28, 2025 22:14:03.499583006 CET	49726	445	192.168.2.22	117.74.187.198
Mar 28, 2025 22:14:03.546262980 CET	49727	445	192.168.2.22	79.218.7.244
Mar 28, 2025 22:14:03.640002012 CET	49728	445	192.168.2.22	179.85.90.114
Mar 28, 2025 22:14:03.687127113 CET	49729	445	192.168.2.22	58.190.51.61
Mar 28, 2025 22:14:03.733638048 CET	49730	445	192.168.2.22	124.204.172.161
Mar 28, 2025 22:14:03.796109915 CET	49731	445	192.168.2.22	140.117.16.146
Mar 28, 2025 22:14:03.827327967 CET	49732	445	192.168.2.22	5.107.65.7
Mar 28, 2025 22:14:03.967469931 CET	49733	445	192.168.2.22	177.62.190.125
Mar 28, 2025 22:14:03.967637062 CET	49734	445	192.168.2.22	77.37.174.184
Mar 28, 2025 22:14:03.967698097 CET	49735	445	192.168.2.22	211.101.65.97
Mar 28, 2025 22:14:04.014791965 CET	49736	445	192.168.2.22	198.55.131.227
Mar 28, 2025 22:14:04.170448065 CET	49737	445	192.168.2.22	121.232.66.202
Mar 28, 2025 22:14:04.201523066 CET	49738	445	192.168.2.22	55.20.154.205
Mar 28, 2025 22:14:04.248487949 CET	49739	445	192.168.2.22	195.19.209.153
Mar 28, 2025 22:14:04.342057943 CET	49740	445	192.168.2.22	56.184.149.100
Mar 28, 2025 22:14:04.388911963 CET	49741	445	192.168.2.22	56.0.236.94
Mar 28, 2025 22:14:04.435477972 CET	49742	445	192.168.2.22	116.212.172.72
Mar 28, 2025 22:14:04.576191902 CET	49743	445	192.168.2.22	180.97.207.116
Mar 28, 2025 22:14:04.622618914 CET	49744	445	192.168.2.22	30.65.112.179
Mar 28, 2025 22:14:04.631742954 CET	49745	445	192.168.2.22	94.79.216.186
Mar 28, 2025 22:14:04.669892073 CET	49746	445	192.168.2.22	13.187.254.60
Mar 28, 2025 22:14:04.778687000 CET	49747	445	192.168.2.22	2.240.28.40
Mar 28, 2025 22:14:04.810024977 CET	49748	445	192.168.2.22	70.112.22.118
Mar 28, 2025 22:14:04.856762886 CET	49749	445	192.168.2.22	60.216.202.195
Mar 28, 2025 22:14:04.919228077 CET	49750	445	192.168.2.22	119.104.89.81
Mar 28, 2025 22:14:04.950361013 CET	49751	445	192.168.2.22	11.146.114.174
Mar 28, 2025 22:14:05.090636015 CET	49752	445	192.168.2.22	123.213.178.25
Mar 28, 2025 22:14:05.090723038 CET	49753	445	192.168.2.22	64.151.149.57
Mar 28, 2025 22:14:05.090729952 CET	49754	445	192.168.2.22	209.126.172.117
Mar 28, 2025 22:14:05.137893915 CET	49755	445	192.168.2.22	76.26.12.61
Mar 28, 2025 22:14:05.293622971 CET	49756	445	192.168.2.22	70.175.152.137
Mar 28, 2025 22:14:05.324640989 CET	49757	445	192.168.2.22	118.199.90.96
Mar 28, 2025 22:14:05.371460915 CET	49758	445	192.168.2.22	96.221.221.195
Mar 28, 2025 22:14:05.465092897 CET	49759	445	192.168.2.22	161.101.6.20
Mar 28, 2025 22:14:05.511826992 CET	49760	445	192.168.2.22	54.116.157.253
Mar 28, 2025 22:14:05.558607101 CET	49761	445	192.168.2.22	64.56.188.130
Mar 28, 2025 22:14:05.699197054 CET	49762	445	192.168.2.22	4.211.252.173
Mar 28, 2025 22:14:05.745925903 CET	49764	445	192.168.2.22	107.97.18.21
Mar 28, 2025 22:14:05.745938063 CET	49765	445	192.168.2.22	16.66.97.113
Mar 28, 2025 22:14:05.792803049 CET	49766	445	192.168.2.22	86.33.109.167
Mar 28, 2025 22:14:05.902098894 CET	49767	445	192.168.2.22	148.244.147.249
Mar 28, 2025 22:14:05.933424950 CET	49768	445	192.168.2.22	196.169.51.8
Mar 28, 2025 22:14:05.979998112 CET	49769	445	192.168.2.22	217.197.182.142
Mar 28, 2025 22:14:06.042399883 CET	49770	445	192.168.2.22	86.93.45.86
Mar 28, 2025 22:14:06.073699951 CET	49771	445	192.168.2.22	61.166.54.193
Mar 28, 2025 22:14:06.213824987 CET	49772	445	192.168.2.22	16.167.124.252
Mar 28, 2025 22:14:06.213892937 CET	49773	445	192.168.2.22	173.23.1.136
Mar 28, 2025 22:14:06.213951111 CET	49774	445	192.168.2.22	72.73.209.74
Mar 28, 2025 22:14:06.260663033 CET	49775	445	192.168.2.22	5.20.72.217
Mar 28, 2025 22:14:06.416676044 CET	49776	445	192.168.2.22	214.73.165.190
Mar 28, 2025 22:14:06.447959900 CET	49777	445	192.168.2.22	46.2.124.48
Mar 28, 2025 22:14:06.494719028 CET	49778	445	192.168.2.22	156.170.70.174
Mar 28, 2025 22:14:06.588432074 CET	49779	445	192.168.2.22	144.229.123.52
Mar 28, 2025 22:14:06.635065079 CET	49780	445	192.168.2.22	10.152.159.39
Mar 28, 2025 22:14:06.688627958 CET	49781	445	192.168.2.22	89.171.168.190
Mar 28, 2025 22:14:06.822247028 CET	49782	445	192.168.2.22	47.241.90.251
Mar 28, 2025 22:14:06.837806940 CET	49783	445	192.168.2.22	214.171.118.121
Mar 28, 2025 22:14:06.869122028 CET	49784	445	192.168.2.22	213.191.230.174
Mar 28, 2025 22:14:06.869170904 CET	49785	445	192.168.2.22	216.246.125.169
Mar 28, 2025 22:14:06.916043043 CET	49786	445	192.168.2.22	121.12.192.94
Mar 28, 2025 22:14:07.029894114 CET	49787	445	192.168.2.22	83.18.190.61
Mar 28, 2025 22:14:07.056329012 CET	49788	445	192.168.2.22	217.115.68.91
Mar 28, 2025 22:14:07.103013039 CET	49789	445	192.168.2.22	175.91.47.217
Mar 28, 2025 22:14:07.165540934 CET	49790	445	192.168.2.22	190.14.81.189
Mar 28, 2025 22:14:07.197077036 CET	49791	445	192.168.2.22	104.251.109.116
Mar 28, 2025 22:14:07.337059975 CET	49793	445	192.168.2.22	17.67.106.185
Mar 28, 2025 22:14:07.337116003 CET	49794	445	192.168.2.22	149.199.203.42
Mar 28, 2025 22:14:07.337158918 CET	49792	445	192.168.2.22	170.11.234.127
Mar 28, 2025 22:14:07.353235960 CET	49795	445	192.168.2.22	14.240.235.145
Mar 28, 2025 22:14:07.384001970 CET	49796	445	192.168.2.22	174.214.185.202
Mar 28, 2025 22:14:07.539958954 CET	49797	445	192.168.2.22	104.2.193.15
Mar 28, 2025 22:14:07.571019888 CET	49798	445	192.168.2.22	25.159.164.56
Mar 28, 2025 22:14:07.617892981 CET	49799	445	192.168.2.22	1.198.205.72
Mar 28, 2025 22:14:07.719489098 CET	49800	445	192.168.2.22	142.174.236.144
Mar 28, 2025 22:14:07.758339882 CET	49801	445	192.168.2.22	110.67.233.108
Mar 28, 2025 22:14:07.805211067 CET	49802	445	192.168.2.22	78.95.54.178
Mar 28, 2025 22:14:07.945447922 CET	49803	445	192.168.2.22	62.245.232.254
Mar 28, 2025 22:14:07.961020947 CET	49804	445	192.168.2.22	133.182.135.86
Mar 28, 2025 22:14:07.992269039 CET	49806	445	192.168.2.22	169.217.120.143
Mar 28, 2025 22:14:07.992405891 CET	49805	445	192.168.2.22	169.185.200.71
Mar 28, 2025 22:14:08.039211988 CET	49807	445	192.168.2.22	41.170.97.86
Mar 28, 2025 22:14:08.148825884 CET	49808	445	192.168.2.22	25.143.240.232
Mar 28, 2025 22:14:08.179771900 CET	49809	445	192.168.2.22	148.223.9.136
Mar 28, 2025 22:14:08.226232052 CET	49810	445	192.168.2.22	16.111.134.13
Mar 28, 2025 22:14:08.288717031 CET	49811	445	192.168.2.22	217.206.25.159
Mar 28, 2025 22:14:08.319868088 CET	49812	445	192.168.2.22	205.25.23.33
Mar 28, 2025 22:14:08.460247040 CET	49813	445	192.168.2.22	64.124.151.170
Mar 28, 2025 22:14:08.460329056 CET	49815	445	192.168.2.22	199.117.68.165
Mar 28, 2025 22:14:08.464051962 CET	49814	445	192.168.2.22	37.174.65.106
Mar 28, 2025 22:14:08.475855112 CET	49816	445	192.168.2.22	163.239.151.208
Mar 28, 2025 22:14:08.507189035 CET	49817	445	192.168.2.22	38.203.154.71
Mar 28, 2025 22:14:08.663135052 CET	49818	445	192.168.2.22	8.120.186.134
Mar 28, 2025 22:14:08.694230080 CET	49819	445	192.168.2.22	99.156.81.96
Mar 28, 2025 22:14:08.746602058 CET	49820	445	192.168.2.22	98.232.68.241
Mar 28, 2025 22:14:08.834692955 CET	49821	445	192.168.2.22	143.250.66.220
Mar 28, 2025 22:14:08.881513119 CET	49822	445	192.168.2.22	124.161.37.82
Mar 28, 2025 22:14:08.881869078 CET	49823	445	192.168.2.22	223.81.101.154
Mar 28, 2025 22:14:08.928674936 CET	49824	445	192.168.2.22	79.83.39.175
Mar 28, 2025 22:14:09.068797112 CET	49825	445	192.168.2.22	143.71.90.63
Mar 28, 2025 22:14:09.084403992 CET	49826	445	192.168.2.22	139.182.15.135
Mar 28, 2025 22:14:09.115492105 CET	49827	445	192.168.2.22	207.172.167.173
Mar 28, 2025 22:14:09.115556002 CET	49828	445	192.168.2.22	109.223.95.158
Mar 28, 2025 22:14:09.162312031 CET	49829	445	192.168.2.22	143.58.187.188
Mar 28, 2025 22:14:09.271889925 CET	49830	445	192.168.2.22	151.64.206.64
Mar 28, 2025 22:14:09.302819967 CET	49831	445	192.168.2.22	37.189.33.17
Mar 28, 2025 22:14:09.349543095 CET	49832	445	192.168.2.22	208.201.59.228
Mar 28, 2025 22:14:09.412558079 CET	49833	445	192.168.2.22	200.122.88.126
Mar 28, 2025 22:14:09.443161964 CET	49834	445	192.168.2.22	174.122.19.31
Mar 28, 2025 22:14:09.583533049 CET	49835	445	192.168.2.22	115.104.134.225
Mar 28, 2025 22:14:09.583539009 CET	49836	445	192.168.2.22	150.22.40.160
Mar 28, 2025 22:14:09.583833933 CET	49837	445	192.168.2.22	28.146.217.83
Mar 28, 2025 22:14:09.599154949 CET	49838	445	192.168.2.22	33.5.91.95
Mar 28, 2025 22:14:09.630285978 CET	49839	445	192.168.2.22	98.180.88.78
Mar 28, 2025 22:14:09.786250114 CET	49840	445	192.168.2.22	20.58.226.233
Mar 28, 2025 22:14:09.817466974 CET	49841	445	192.168.2.22	208.211.201.31
Mar 28, 2025 22:14:09.864398003 CET	49842	445	192.168.2.22	31.164.110.242
Mar 28, 2025 22:14:09.958070040 CET	49843	445	192.168.2.22	38.36.212.231
Mar 28, 2025 22:14:10.004738092 CET	49844	445	192.168.2.22	50.146.154.127
Mar 28, 2025 22:14:10.004854918 CET	49845	445	192.168.2.22	107.173.203.249
Mar 28, 2025 22:14:10.051721096 CET	49846	445	192.168.2.22	144.198.56.8
Mar 28, 2025 22:14:10.191853046 CET	49847	445	192.168.2.22	170.71.49.111
Mar 28, 2025 22:14:10.207432985 CET	49848	445	192.168.2.22	27.253.113.223
Mar 28, 2025 22:14:10.238637924 CET	49849	445	192.168.2.22	29.226.23.37
Mar 28, 2025 22:14:10.238858938 CET	49850	445	192.168.2.22	50.121.233.130
Mar 28, 2025 22:14:10.285561085 CET	49851	445	192.168.2.22	125.67.153.152
Mar 28, 2025 22:14:10.301215887 CET	49852	445	192.168.2.22	196.72.69.115
Mar 28, 2025 22:14:10.394664049 CET	49853	445	192.168.2.22	151.214.160.70
Mar 28, 2025 22:14:10.426268101 CET	49854	445	192.168.2.22	128.229.192.41
Mar 28, 2025 22:14:10.472646952 CET	49855	445	192.168.2.22	175.10.66.25
Mar 28, 2025 22:14:10.535212994 CET	49856	445	192.168.2.22	186.154.33.206
Mar 28, 2025 22:14:10.566225052 CET	49857	445	192.168.2.22	2.77.212.5
Mar 28, 2025 22:14:10.706703901 CET	49858	445	192.168.2.22	70.35.115.54
Mar 28, 2025 22:14:10.706778049 CET	49859	445	192.168.2.22	99.8.119.98
Mar 28, 2025 22:14:10.706945896 CET	49860	445	192.168.2.22	111.12.0.105
Mar 28, 2025 22:14:10.722294092 CET	49861	445	192.168.2.22	137.154.207.100
Mar 28, 2025 22:14:10.753439903 CET	49862	445	192.168.2.22	48.187.158.110
Mar 28, 2025 22:14:10.909686089 CET	49863	445	192.168.2.22	66.36.157.4
Mar 28, 2025 22:14:10.941123962 CET	49864	445	192.168.2.22	63.233.17.224
Mar 28, 2025 22:14:10.987464905 CET	49865	445	192.168.2.22	108.213.84.209
Mar 28, 2025 22:14:11.081010103 CET	49866	445	192.168.2.22	117.188.66.251
Mar 28, 2025 22:14:11.127820015 CET	49867	445	192.168.2.22	8.135.101.125
Mar 28, 2025 22:14:11.127912998 CET	49868	445	192.168.2.22	186.234.182.151
Mar 28, 2025 22:14:11.174618006 CET	49869	445	192.168.2.22	189.90.10.253
Mar 28, 2025 22:14:11.315128088 CET	49870	445	192.168.2.22	196.197.155.250
Mar 28, 2025 22:14:11.330611944 CET	49871	445	192.168.2.22	207.153.60.229
Mar 28, 2025 22:14:11.361982107 CET	49872	445	192.168.2.22	6.235.50.204
Mar 28, 2025 22:14:11.362042904 CET	49873	445	192.168.2.22	162.105.4.70
Mar 28, 2025 22:14:11.408696890 CET	49874	445	192.168.2.22	207.6.157.184
Mar 28, 2025 22:14:11.424288034 CET	49875	445	192.168.2.22	45.232.151.42
Mar 28, 2025 22:14:11.533500910 CET	49876	445	192.168.2.22	35.199.19.155
Mar 28, 2025 22:14:11.549417973 CET	49877	445	192.168.2.22	63.212.207.142
Mar 28, 2025 22:14:11.595825911 CET	49878	445	192.168.2.22	74.205.177.150
Mar 28, 2025 22:14:11.627569914 CET	49879	445	192.168.2.22	92.254.221.45
Mar 28, 2025 22:14:11.658437967 CET	49880	445	192.168.2.22	120.189.112.216
Mar 28, 2025 22:14:11.689493895 CET	49881	445	192.168.2.22	185.40.187.101
Mar 28, 2025 22:14:11.835566998 CET	49882	445	192.168.2.22	94.200.152.9
Mar 28, 2025 22:14:11.835656881 CET	49883	445	192.168.2.22	75.135.62.95
Mar 28, 2025 22:14:11.835724115 CET	49884	445	192.168.2.22	202.53.163.25
Mar 28, 2025 22:14:11.845432997 CET	49885	445	192.168.2.22	55.29.17.240
Mar 28, 2025 22:14:11.876828909 CET	49886	445	192.168.2.22	212.169.211.10
Mar 28, 2025 22:14:12.032735109 CET	49887	445	192.168.2.22	47.11.218.69
Mar 28, 2025 22:14:12.063822031 CET	49888	445	192.168.2.22	203.221.145.247
Mar 28, 2025 22:14:12.110816002 CET	49889	445	192.168.2.22	147.50.158.238
Mar 28, 2025 22:14:12.204245090 CET	49890	445	192.168.2.22	70.219.234.198
Mar 28, 2025 22:14:12.251095057 CET	49891	445	192.168.2.22	183.10.186.193
Mar 28, 2025 22:14:12.251281977 CET	49892	445	192.168.2.22	211.68.9.101
Mar 28, 2025 22:14:12.297933102 CET	49893	445	192.168.2.22	126.87.75.240
Mar 28, 2025 22:14:12.438461065 CET	49894	445	192.168.2.22	126.117.108.251
Mar 28, 2025 22:14:12.454204082 CET	49895	445	192.168.2.22	215.12.247.67
Mar 28, 2025 22:14:12.485029936 CET	49896	445	192.168.2.22	47.207.218.58
Mar 28, 2025 22:14:12.485342026 CET	49897	445	192.168.2.22	47.197.102.42
Mar 28, 2025 22:14:12.531908989 CET	49898	445	192.168.2.22	156.122.216.14
Mar 28, 2025 22:14:12.547442913 CET	49899	445	192.168.2.22	181.230.197.20
Mar 28, 2025 22:14:12.656708002 CET	49900	445	192.168.2.22	169.241.72.57
Mar 28, 2025 22:14:12.672358036 CET	49901	445	192.168.2.22	124.98.183.174
Mar 28, 2025 22:14:12.719041109 CET	49902	445	192.168.2.22	104.112.249.51
Mar 28, 2025 22:14:12.750257969 CET	49903	445	192.168.2.22	47.230.199.147
Mar 28, 2025 22:14:12.782010078 CET	49904	445	192.168.2.22	117.151.105.176
Mar 28, 2025 22:14:12.812741041 CET	49905	445	192.168.2.22	36.90.49.41
Mar 28, 2025 22:14:12.875585079 CET	49906	445	192.168.2.22	121.147.206.146
Mar 28, 2025 22:14:12.953075886 CET	49907	445	192.168.2.22	86.216.57.180
Mar 28, 2025 22:14:12.953131914 CET	49908	445	192.168.2.22	203.97.45.90
Mar 28, 2025 22:14:12.953306913 CET	49909	445	192.168.2.22	121.48.7.159
Mar 28, 2025 22:14:12.969079971 CET	49910	445	192.168.2.22	66.252.243.52
Mar 28, 2025 22:14:12.999984980 CET	49911	445	192.168.2.22	51.197.221.157
Mar 28, 2025 22:14:13.155848980 CET	49912	445	192.168.2.22	205.172.91.28
Mar 28, 2025 22:14:13.187201977 CET	49913	445	192.168.2.22	145.78.143.197
Mar 28, 2025 22:14:13.234009981 CET	49914	445	192.168.2.22	21.85.84.32
Mar 28, 2025 22:14:13.327672005 CET	49915	445	192.168.2.22	16.95.233.205
Mar 28, 2025 22:14:13.374372959 CET	49916	445	192.168.2.22	156.229.116.250
Mar 28, 2025 22:14:13.374391079 CET	49917	445	192.168.2.22	27.144.251.234
Mar 28, 2025 22:14:13.421144962 CET	49918	445	192.168.2.22	106.59.165.145
Mar 28, 2025 22:14:13.561511040 CET	49919	445	192.168.2.22	165.193.201.120
Mar 28, 2025 22:14:13.577152967 CET	49920	445	192.168.2.22	184.74.251.249
Mar 28, 2025 22:14:13.608242035 CET	49921	445	192.168.2.22	19.6.74.59
Mar 28, 2025 22:14:13.608392000 CET	49922	445	192.168.2.22	116.0.109.188
Mar 28, 2025 22:14:13.655162096 CET	49923	445	192.168.2.22	55.7.69.106
Mar 28, 2025 22:14:13.670770884 CET	49924	445	192.168.2.22	91.46.31.108
Mar 28, 2025 22:14:13.780277967 CET	49925	445	192.168.2.22	118.213.19.178
Mar 28, 2025 22:14:13.795794964 CET	49926	445	192.168.2.22	22.48.241.153
Mar 28, 2025 22:14:13.842416048 CET	49927	445	192.168.2.22	117.74.54.182
Mar 28, 2025 22:14:13.873544931 CET	49928	445	192.168.2.22	135.128.130.175
Mar 28, 2025 22:14:13.904670954 CET	49929	445	192.168.2.22	202.112.30.110
Mar 28, 2025 22:14:13.935883999 CET	49930	445	192.168.2.22	19.74.183.86
Mar 28, 2025 22:14:13.998367071 CET	49931	445	192.168.2.22	184.46.67.170
Mar 28, 2025 22:14:14.029695034 CET	49932	445	192.168.2.22	68.245.3.81
Mar 28, 2025 22:14:14.076328039 CET	49933	445	192.168.2.22	78.124.58.31
Mar 28, 2025 22:14:14.076425076 CET	49934	445	192.168.2.22	209.56.96.12
Mar 28, 2025 22:14:14.076562881 CET	49935	445	192.168.2.22	89.13.81.186
Mar 28, 2025 22:14:14.091886044 CET	49936	445	192.168.2.22	33.76.80.124
Mar 28, 2025 22:14:14.123327971 CET	49937	445	192.168.2.22	62.52.254.240
Mar 28, 2025 22:14:14.279186010 CET	49938	445	192.168.2.22	178.164.70.25
Mar 28, 2025 22:14:14.310664892 CET	49939	445	192.168.2.22	82.49.48.18
Mar 28, 2025 22:14:14.357240915 CET	49940	445	192.168.2.22	156.82.71.114
Mar 28, 2025 22:14:14.450687885 CET	49941	445	192.168.2.22	47.243.144.80
Mar 28, 2025 22:14:14.497549057 CET	49942	445	192.168.2.22	53.161.138.62
Mar 28, 2025 22:14:14.497616053 CET	49943	445	192.168.2.22	18.41.93.69
Mar 28, 2025 22:14:14.544469118 CET	49944	445	192.168.2.22	167.75.79.129
Mar 28, 2025 22:14:14.684897900 CET	49945	445	192.168.2.22	182.103.143.195
Mar 28, 2025 22:14:14.700339079 CET	49946	445	192.168.2.22	170.173.71.170
Mar 28, 2025 22:14:14.731664896 CET	49947	445	192.168.2.22	51.81.41.81
Mar 28, 2025 22:14:14.747375011 CET	49948	445	192.168.2.22	80.15.211.38
Mar 28, 2025 22:14:14.778465986 CET	49949	445	192.168.2.22	45.102.118.15
Mar 28, 2025 22:14:14.793910980 CET	49950	445	192.168.2.22	102.179.39.13
Mar 28, 2025 22:14:14.903665066 CET	49951	445	192.168.2.22	199.185.175.151
Mar 28, 2025 22:14:14.936167955 CET	49952	445	192.168.2.22	219.172.214.53
Mar 28, 2025 22:14:14.965480089 CET	49953	445	192.168.2.22	102.80.111.162
Mar 28, 2025 22:14:14.996640921 CET	49954	445	192.168.2.22	188.45.176.123
Mar 28, 2025 22:14:15.043612003 CET	49955	445	192.168.2.22	159.217.23.174
Mar 28, 2025 22:14:15.059103012 CET	49956	445	192.168.2.22	85.139.144.119
Mar 28, 2025 22:14:15.106201887 CET	49957	445	192.168.2.22	120.72.76.192
Mar 28, 2025 22:14:15.121486902 CET	49958	445	192.168.2.22	191.156.95.212
Mar 28, 2025 22:14:15.152904987 CET	49959	445	192.168.2.22	185.239.73.26
Mar 28, 2025 22:14:15.199532032 CET	49961	445	192.168.2.22	24.78.127.252
Mar 28, 2025 22:14:15.199594021 CET	49960	445	192.168.2.22	182.186.63.165
Mar 28, 2025 22:14:15.199719906 CET	49962	445	192.168.2.22	142.180.134.253
Mar 28, 2025 22:14:15.215075016 CET	49963	445	192.168.2.22	44.189.41.201
Mar 28, 2025 22:14:15.246630907 CET	49964	445	192.168.2.22	98.199.22.36
Mar 28, 2025 22:14:15.402507067 CET	49965	445	192.168.2.22	147.125.159.183
Mar 28, 2025 22:14:15.433494091 CET	49966	445	192.168.2.22	73.141.5.145
Mar 28, 2025 22:14:15.480456114 CET	49967	445	192.168.2.22	216.68.198.77
Mar 28, 2025 22:14:15.575391054 CET	49968	445	192.168.2.22	108.235.14.36
Mar 28, 2025 22:14:15.620743036 CET	49969	445	192.168.2.22	97.130.9.97
Mar 28, 2025 22:14:15.620755911 CET	49970	445	192.168.2.22	123.37.150.103
Mar 28, 2025 22:14:15.667589903 CET	49971	445	192.168.2.22	150.245.40.217
Mar 28, 2025 22:14:15.807910919 CET	49972	445	192.168.2.22	49.141.6.62
Mar 28, 2025 22:14:15.823569059 CET	49973	445	192.168.2.22	41.81.4.138
Mar 28, 2025 22:14:15.854760885 CET	49974	445	192.168.2.22	162.126.143.154
Mar 28, 2025 22:14:15.870378971 CET	49975	445	192.168.2.22	135.51.182.90
Mar 28, 2025 22:14:15.901473045 CET	49976	445	192.168.2.22	155.63.17.25
Mar 28, 2025 22:14:15.917376995 CET	49977	445	192.168.2.22	94.153.197.134
Mar 28, 2025 22:14:16.026586056 CET	49978	445	192.168.2.22	176.2.111.114
Mar 28, 2025 22:14:16.057627916 CET	49979	445	192.168.2.22	85.139.95.208
Mar 28, 2025 22:14:16.088749886 CET	49980	445	192.168.2.22	138.15.180.193
Mar 28, 2025 22:14:16.119992971 CET	49981	445	192.168.2.22	115.85.31.40
Mar 28, 2025 22:14:16.120702028 CET	49982	445	192.168.2.22	43.232.177.51
Mar 28, 2025 22:14:16.167006969 CET	49983	445	192.168.2.22	59.161.137.239
Mar 28, 2025 22:14:16.182588100 CET	49984	445	192.168.2.22	19.14.252.158
Mar 28, 2025 22:14:16.229212999 CET	49985	445	192.168.2.22	66.21.249.237
Mar 28, 2025 22:14:16.244752884 CET	49986	445	192.168.2.22	159.195.173.194
Mar 28, 2025 22:14:16.276055098 CET	49987	445	192.168.2.22	223.213.88.65
Mar 28, 2025 22:14:16.322721004 CET	49988	445	192.168.2.22	189.196.86.55
Mar 28, 2025 22:14:16.322819948 CET	49989	445	192.168.2.22	25.91.124.110
Mar 28, 2025 22:14:16.322892904 CET	49990	445	192.168.2.22	8.148.113.223
Mar 28, 2025 22:14:16.338376999 CET	49991	445	192.168.2.22	97.134.103.169
Mar 28, 2025 22:14:16.369601011 CET	49992	445	192.168.2.22	152.232.70.182
Mar 28, 2025 22:14:16.525727034 CET	49993	445	192.168.2.22	62.115.198.176
Mar 28, 2025 22:14:16.556708097 CET	49994	445	192.168.2.22	147.73.77.6
Mar 28, 2025 22:14:16.603621960 CET	49995	445	192.168.2.22	115.91.222.31
Mar 28, 2025 22:14:16.697438955 CET	49996	445	192.168.2.22	208.205.10.136
Mar 28, 2025 22:14:16.743901014 CET	49997	445	192.168.2.22	148.85.210.240
Mar 28, 2025 22:14:16.744113922 CET	49998	445	192.168.2.22	31.242.154.11
Mar 28, 2025 22:14:16.790627003 CET	49999	445	192.168.2.22	22.27.198.153
Mar 28, 2025 22:14:16.931637049 CET	50000	445	192.168.2.22	57.84.125.211
Mar 28, 2025 22:14:16.946640968 CET	50001	445	192.168.2.22	27.221.159.0
Mar 28, 2025 22:14:16.979566097 CET	50002	445	192.168.2.22	165.161.252.167
Mar 28, 2025 22:14:16.993490934 CET	50003	445	192.168.2.22	59.42.240.20
Mar 28, 2025 22:14:17.025176048 CET	50004	445	192.168.2.22	21.4.66.204
Mar 28, 2025 22:14:17.040527105 CET	50005	445	192.168.2.22	163.106.102.136
Mar 28, 2025 22:14:17.056364059 CET	50006	445	192.168.2.22	111.27.199.193
Mar 28, 2025 22:14:17.149513006 CET	50007	445	192.168.2.22	135.112.27.192
Mar 28, 2025 22:14:17.180736065 CET	50008	445	192.168.2.22	62.245.117.106
Mar 28, 2025 22:14:17.211985111 CET	50009	445	192.168.2.22	173.149.187.48
Mar 28, 2025 22:14:17.243052006 CET	50010	445	192.168.2.22	82.77.172.47
Mar 28, 2025 22:14:17.243134022 CET	50011	445	192.168.2.22	44.71.194.241
Mar 28, 2025 22:14:17.290004969 CET	50012	445	192.168.2.22	128.24.67.56
Mar 28, 2025 22:14:17.305712938 CET	50013	445	192.168.2.22	213.173.192.103
Mar 28, 2025 22:14:17.352412939 CET	50014	445	192.168.2.22	147.246.18.67
Mar 28, 2025 22:14:17.368222952 CET	50015	445	192.168.2.22	27.150.86.174
Mar 28, 2025 22:14:17.399180889 CET	50016	445	192.168.2.22	137.6.233.187
Mar 28, 2025 22:14:17.446253061 CET	50017	445	192.168.2.22	187.94.44.250
Mar 28, 2025 22:14:17.446324110 CET	50018	445	192.168.2.22	22.105.130.185
Mar 28, 2025 22:14:17.446387053 CET	50019	445	192.168.2.22	4.108.224.115
Mar 28, 2025 22:14:17.461577892 CET	50020	445	192.168.2.22	78.239.128.159
Mar 28, 2025 22:14:17.493021965 CET	50021	445	192.168.2.22	69.179.66.105
Mar 28, 2025 22:14:17.648638010 CET	50022	445	192.168.2.22	37.199.205.125
Mar 28, 2025 22:14:17.682518959 CET	50023	445	192.168.2.22	135.235.99.201
Mar 28, 2025 22:14:17.726813078 CET	50024	445	192.168.2.22	72.218.101.113
Mar 28, 2025 22:14:17.830388069 CET	50025	445	192.168.2.22	67.6.62.134
Mar 28, 2025 22:14:17.867150068 CET	50026	445	192.168.2.22	38.142.43.146
Mar 28, 2025 22:14:17.867305040 CET	50027	445	192.168.2.22	74.249.93.17
Mar 28, 2025 22:14:17.929636002 CET	50028	445	192.168.2.22	87.20.15.134
Mar 28, 2025 22:14:17.945380926 CET	50029	445	192.168.2.22	189.64.132.78
Mar 28, 2025 22:14:18.064841032 CET	50030	445	192.168.2.22	169.172.68.228
Mar 28, 2025 22:14:18.087707043 CET	50031	445	192.168.2.22	141.79.202.46
Mar 28, 2025 22:14:18.102304935 CET	50032	445	192.168.2.22	36.126.112.180
Mar 28, 2025 22:14:18.132325888 CET	50033	445	192.168.2.22	147.87.214.138
Mar 28, 2025 22:14:18.166722059 CET	50034	445	192.168.2.22	88.14.141.209
Mar 28, 2025 22:14:18.166919947 CET	50035	445	192.168.2.22	214.141.131.249
Mar 28, 2025 22:14:18.180197954 CET	50036	445	192.168.2.22	209.226.61.154
Mar 28, 2025 22:14:18.273698092 CET	50037	445	192.168.2.22	152.121.8.36
Mar 28, 2025 22:14:18.304059029 CET	50038	445	192.168.2.22	121.89.173.141
Mar 28, 2025 22:14:18.345340967 CET	50039	445	192.168.2.22	190.5.193.126
Mar 28, 2025 22:14:18.370887041 CET	50040	445	192.168.2.22	46.226.114.119
Mar 28, 2025 22:14:18.371005058 CET	50041	445	192.168.2.22	185.240.119.118
Mar 28, 2025 22:14:18.413947105 CET	50042	445	192.168.2.22	185.165.83.67
Mar 28, 2025 22:14:18.428822041 CET	50043	445	192.168.2.22	39.148.76.48
Mar 28, 2025 22:14:18.478379011 CET	50044	445	192.168.2.22	21.113.156.36
Mar 28, 2025 22:14:18.491060019 CET	50045	445	192.168.2.22	108.107.122.201
Mar 28, 2025 22:14:18.524554968 CET	50046	445	192.168.2.22	57.185.196.119
Mar 28, 2025 22:14:18.569066048 CET	50047	445	192.168.2.22	97.206.156.183
Mar 28, 2025 22:14:18.569133043 CET	50048	445	192.168.2.22	50.76.102.155
Mar 28, 2025 22:14:18.569188118 CET	50049	445	192.168.2.22	8.228.157.230
Mar 28, 2025 22:14:18.584815979 CET	50050	445	192.168.2.22	94.207.174.154
Mar 28, 2025 22:14:18.615973949 CET	50051	445	192.168.2.22	137.244.13.17
Mar 28, 2025 22:14:18.772042990 CET	50052	445	192.168.2.22	31.207.5.34
Mar 28, 2025 22:14:18.772437096 CET	50053	445	192.168.2.22	29.249.198.11
Mar 28, 2025 22:14:18.803181887 CET	50054	445	192.168.2.22	87.110.129.189
Mar 28, 2025 22:14:18.849982023 CET	50055	445	192.168.2.22	209.100.246.168
Mar 28, 2025 22:14:18.943800926 CET	50056	445	192.168.2.22	176.6.215.136
Mar 28, 2025 22:14:18.990472078 CET	50057	445	192.168.2.22	200.238.35.241
Mar 28, 2025 22:14:18.990674019 CET	50058	445	192.168.2.22	214.151.189.223
Mar 28, 2025 22:14:19.052687883 CET	50059	445	192.168.2.22	160.95.26.140
Mar 28, 2025 22:14:19.068344116 CET	50060	445	192.168.2.22	72.102.0.146
Mar 28, 2025 22:14:19.177656889 CET	50061	445	192.168.2.22	86.11.57.185
Mar 28, 2025 22:14:19.208669901 CET	50062	445	192.168.2.22	79.169.84.52
Mar 28, 2025 22:14:19.224334955 CET	50063	445	192.168.2.22	81.174.94.152
Mar 28, 2025 22:14:19.255506039 CET	50064	445	192.168.2.22	177.175.183.201
Mar 28, 2025 22:14:19.286884069 CET	50065	445	192.168.2.22	24.73.81.66
Mar 28, 2025 22:14:19.286890984 CET	50066	445	192.168.2.22	73.62.122.29
Mar 28, 2025 22:14:19.302294970 CET	50067	445	192.168.2.22	168.114.181.201
Mar 28, 2025 22:14:19.395946980 CET	50068	445	192.168.2.22	21.208.212.95
Mar 28, 2025 22:14:19.427258015 CET	50069	445	192.168.2.22	219.167.129.166
Mar 28, 2025 22:14:19.458324909 CET	50070	445	192.168.2.22	51.4.42.158
Mar 28, 2025 22:14:19.489485025 CET	50071	445	192.168.2.22	132.166.66.183
Mar 28, 2025 22:14:19.489563942 CET	50072	445	192.168.2.22	111.142.37.135
Mar 28, 2025 22:14:19.536324024 CET	50073	445	192.168.2.22	68.149.251.220
Mar 28, 2025 22:14:19.536699057 CET	50074	445	192.168.2.22	168.235.124.41
Mar 28, 2025 22:14:19.552109003 CET	50075	445	192.168.2.22	172.56.64.223
Mar 28, 2025 22:14:19.598699093 CET	50076	445	192.168.2.22	211.150.254.214
Mar 28, 2025 22:14:19.614341974 CET	50077	445	192.168.2.22	112.175.145.0
Mar 28, 2025 22:14:19.645431042 CET	50078	445	192.168.2.22	17.200.210.30
Mar 28, 2025 22:14:19.692292929 CET	50079	445	192.168.2.22	173.87.90.34
Mar 28, 2025 22:14:19.692373037 CET	50080	445	192.168.2.22	52.158.59.152
Mar 28, 2025 22:14:19.692374945 CET	50081	445	192.168.2.22	131.152.5.181
Mar 28, 2025 22:14:19.707976103 CET	50082	445	192.168.2.22	187.239.131.71
Mar 28, 2025 22:14:19.739350080 CET	50083	445	192.168.2.22	135.173.63.245
Mar 28, 2025 22:14:19.895212889 CET	50084	445	192.168.2.22	86.153.190.190
Mar 28, 2025 22:14:19.895243883 CET	50085	445	192.168.2.22	107.232.1.150
Mar 28, 2025 22:14:19.926626921 CET	50086	445	192.168.2.22	24.66.252.97
Mar 28, 2025 22:14:19.973377943 CET	50087	445	192.168.2.22	46.12.101.175
Mar 28, 2025 22:14:20.066796064 CET	50088	445	192.168.2.22	200.134.68.94
Mar 28, 2025 22:14:20.113478899 CET	50089	445	192.168.2.22	132.83.64.149
Mar 28, 2025 22:14:20.113575935 CET	50090	445	192.168.2.22	27.5.84.185
Mar 28, 2025 22:14:20.175898075 CET	50091	445	192.168.2.22	129.97.205.5
Mar 28, 2025 22:14:20.191478014 CET	50092	445	192.168.2.22	56.202.114.161
Mar 28, 2025 22:14:20.300762892 CET	50094	445	192.168.2.22	131.211.170.64
Mar 28, 2025 22:14:20.332094908 CET	50095	445	192.168.2.22	115.53.69.235
Mar 28, 2025 22:14:20.347445011 CET	50096	445	192.168.2.22	28.152.28.163
Mar 28, 2025 22:14:20.378726959 CET	50097	445	192.168.2.22	44.139.142.117
Mar 28, 2025 22:14:20.410799026 CET	50098	445	192.168.2.22	60.10.23.107
Mar 28, 2025 22:14:20.410959005 CET	50099	445	192.168.2.22	137.225.75.11
Mar 28, 2025 22:14:20.425657034 CET	50100	445	192.168.2.22	200.35.14.250
Mar 28, 2025 22:14:20.519185066 CET	50101	445	192.168.2.22	57.231.203.199
Mar 28, 2025 22:14:20.550446033 CET	50102	445	192.168.2.22	140.252.245.97
Mar 28, 2025 22:14:20.612684011 CET	50104	445	192.168.2.22	219.247.152.139
Mar 28, 2025 22:14:20.612782001 CET	50105	445	192.168.2.22	99.17.1.200
Mar 28, 2025 22:14:20.659495115 CET	50106	445	192.168.2.22	55.137.194.75
Mar 28, 2025 22:14:20.659699917 CET	50107	445	192.168.2.22	34.70.95.120
Mar 28, 2025 22:14:20.675266981 CET	50108	445	192.168.2.22	134.45.187.19
Mar 28, 2025 22:14:20.722126961 CET	50109	445	192.168.2.22	25.12.36.67
Mar 28, 2025 22:14:20.738653898 CET	50110	445	192.168.2.22	30.239.238.164
Mar 28, 2025 22:14:20.768868923 CET	50111	445	192.168.2.22	152.87.123.137
Mar 28, 2025 22:14:20.815598965 CET	50112	445	192.168.2.22	97.218.59.56
Mar 28, 2025 22:14:20.815814018 CET	50113	445	192.168.2.22	178.153.4.50
Mar 28, 2025 22:14:20.815922022 CET	50114	445	192.168.2.22	99.55.60.91
Mar 28, 2025 22:14:20.831101894 CET	50115	445	192.168.2.22	42.156.186.219
Mar 28, 2025 22:14:20.862420082 CET	50116	445	192.168.2.22	221.84.75.128
Mar 28, 2025 22:14:21.018310070 CET	50118	445	192.168.2.22	150.24.78.160
Mar 28, 2025 22:14:21.018800020 CET	50119	445	192.168.2.22	2.142.134.135
Mar 28, 2025 22:14:21.067492008 CET	50120	445	192.168.2.22	194.143.116.134
Mar 28, 2025 22:14:21.101151943 CET	50121	445	192.168.2.22	141.82.33.28
Mar 28, 2025 22:14:21.240295887 CET	50122	445	192.168.2.22	15.120.78.47
Mar 28, 2025 22:14:21.253428936 CET	50123	445	192.168.2.22	146.81.53.98
Mar 28, 2025 22:14:21.257559061 CET	50124	445	192.168.2.22	157.134.108.216
Mar 28, 2025 22:14:21.299031973 CET	50125	445	192.168.2.22	216.18.244.47
Mar 28, 2025 22:14:21.314627886 CET	50126	445	192.168.2.22	149.166.222.171
Mar 28, 2025 22:14:21.455065012 CET	50128	445	192.168.2.22	9.175.153.233
Mar 28, 2025 22:14:21.458453894 CET	50129	445	192.168.2.22	193.26.101.28
Mar 28, 2025 22:14:21.473984003 CET	50130	445	192.168.2.22	213.83.93.55
Mar 28, 2025 22:14:21.501935005 CET	50131	445	192.168.2.22	189.222.68.85
Mar 28, 2025 22:14:21.577586889 CET	50132	445	192.168.2.22	21.220.217.97
Mar 28, 2025 22:14:21.577696085 CET	50133	445	192.168.2.22	85.114.199.76
Mar 28, 2025 22:14:21.577892065 CET	50134	445	192.168.2.22	187.82.63.113
Mar 28, 2025 22:14:21.727118969 CET	50136	445	192.168.2.22	27.1.102.204
Mar 28, 2025 22:14:21.727199078 CET	50137	445	192.168.2.22	44.208.34.213
Mar 28, 2025 22:14:21.727241993 CET	50138	445	192.168.2.22	153.219.118.241
Mar 28, 2025 22:14:21.829514027 CET	50139	445	192.168.2.22	10.143.208.63
Mar 28, 2025 22:14:21.829596996 CET	50140	445	192.168.2.22	4.158.189.36
Mar 28, 2025 22:14:21.829725027 CET	50141	445	192.168.2.22	66.168.134.26
Mar 28, 2025 22:14:21.829785109 CET	50142	445	192.168.2.22	101.224.25.68
Mar 28, 2025 22:14:21.829838037 CET	50143	445	192.168.2.22	30.29.156.249
Mar 28, 2025 22:14:21.845283031 CET	50144	445	192.168.2.22	190.219.15.10
Mar 28, 2025 22:14:21.860676050 CET	50145	445	192.168.2.22	31.104.246.164
Mar 28, 2025 22:14:21.891894102 CET	50146	445	192.168.2.22	197.208.222.185
Mar 28, 2025 22:14:21.940146923 CET	50147	445	192.168.2.22	204.228.114.158
Mar 28, 2025 22:14:21.940321922 CET	50148	445	192.168.2.22	202.230.229.227
Mar 28, 2025 22:14:21.940407991 CET	50149	445	192.168.2.22	207.148.103.50
Mar 28, 2025 22:14:21.954452038 CET	50150	445	192.168.2.22	192.13.222.69
Mar 28, 2025 22:14:21.985549927 CET	50151	445	192.168.2.22	98.98.50.93
Mar 28, 2025 22:14:22.141563892 CET	50154	445	192.168.2.22	220.63.78.217
Mar 28, 2025 22:14:22.143254042 CET	50155	445	192.168.2.22	148.209.102.161
Mar 28, 2025 22:14:22.188360929 CET	50156	445	192.168.2.22	61.52.251.189
Mar 28, 2025 22:14:22.219893932 CET	50157	445	192.168.2.22	150.98.53.161
Mar 28, 2025 22:14:22.360109091 CET	50158	445	192.168.2.22	18.58.104.49
Mar 28, 2025 22:14:22.375518084 CET	50160	445	192.168.2.22	131.242.106.129
Mar 28, 2025 22:14:22.375525951 CET	50159	445	192.168.2.22	129.235.121.61
Mar 28, 2025 22:14:22.422422886 CET	50161	445	192.168.2.22	25.142.51.230
Mar 28, 2025 22:14:22.438036919 CET	50162	445	192.168.2.22	62.48.222.133
Mar 28, 2025 22:14:22.578428030 CET	50164	445	192.168.2.22	43.25.58.169
Mar 28, 2025 22:14:22.578454971 CET	50165	445	192.168.2.22	163.158.157.127
Mar 28, 2025 22:14:22.593913078 CET	50166	445	192.168.2.22	99.117.73.225
Mar 28, 2025 22:14:22.625144958 CET	50167	445	192.168.2.22	202.143.76.195
Mar 28, 2025 22:14:22.687714100 CET	50169	445	192.168.2.22	212.70.176.126
Mar 28, 2025 22:14:22.687815905 CET	50170	445	192.168.2.22	27.5.68.51
Mar 28, 2025 22:14:22.688095093 CET	50171	445	192.168.2.22	14.254.108.244
Mar 28, 2025 22:14:22.843686104 CET	50173	445	192.168.2.22	68.191.28.160
Mar 28, 2025 22:14:22.843750954 CET	50174	445	192.168.2.22	95.98.219.238
Mar 28, 2025 22:14:22.843875885 CET	50175	445	192.168.2.22	173.148.201.48
Mar 28, 2025 22:14:22.952692986 CET	50176	445	192.168.2.22	121.218.49.86
Mar 28, 2025 22:14:22.952769041 CET	50177	445	192.168.2.22	126.156.67.248
Mar 28, 2025 22:14:22.952889919 CET	50178	445	192.168.2.22	173.31.151.14
Mar 28, 2025 22:14:22.952950954 CET	50179	445	192.168.2.22	33.53.195.32
Mar 28, 2025 22:14:22.953043938 CET	50180	445	192.168.2.22	222.26.184.177
Mar 28, 2025 22:14:22.968446016 CET	50181	445	192.168.2.22	202.58.90.173
Mar 28, 2025 22:14:22.983918905 CET	50182	445	192.168.2.22	39.121.127.147
Mar 28, 2025 22:14:23.015178919 CET	50183	445	192.168.2.22	138.208.93.211
Mar 28, 2025 22:14:23.061958075 CET	50184	445	192.168.2.22	39.240.211.237
Mar 28, 2025 22:14:23.062165022 CET	50185	445	192.168.2.22	119.67.112.212
Mar 28, 2025 22:14:23.062397957 CET	50186	445	192.168.2.22	73.155.117.138
Mar 28, 2025 22:14:23.077652931 CET	50187	445	192.168.2.22	130.239.204.214
Mar 28, 2025 22:14:23.109257936 CET	50188	445	192.168.2.22	173.27.55.28
Mar 28, 2025 22:14:23.264878988 CET	50193	445	192.168.2.22	48.44.206.254
Mar 28, 2025 22:14:23.264884949 CET	50192	445	192.168.2.22	142.242.86.242
Mar 28, 2025 22:14:23.311609983 CET	50194	445	192.168.2.22	133.23.228.237
Mar 28, 2025 22:14:23.342984915 CET	50195	445	192.168.2.22	44.71.32.71
Mar 28, 2025 22:14:23.498651028 CET	50197	445	192.168.2.22	145.131.37.52
Mar 28, 2025 22:14:23.509231091 CET	50198	445	192.168.2.22	131.250.114.114
Mar 28, 2025 22:14:23.545617104 CET	50199	445	192.168.2.22	21.15.35.184
Mar 28, 2025 22:14:23.561105967 CET	50200	445	192.168.2.22	207.67.81.91
Mar 28, 2025 22:14:23.701483965 CET	50203	445	192.168.2.22	13.119.156.245
Mar 28, 2025 22:14:23.701699972 CET	50204	445	192.168.2.22	24.224.79.181
Mar 28, 2025 22:14:23.717159033 CET	50205	445	192.168.2.22	148.113.251.220
Mar 28, 2025 22:14:23.748378038 CET	50206	445	192.168.2.22	148.209.107.218
Mar 28, 2025 22:14:23.810770035 CET	50208	445	192.168.2.22	169.15.157.229
Mar 28, 2025 22:14:23.810929060 CET	50210	445	192.168.2.22	94.171.178.161
Mar 28, 2025 22:14:23.810976982 CET	50211	445	192.168.2.22	212.187.46.45
Mar 28, 2025 22:14:23.966981888 CET	50213	445	192.168.2.22	53.73.166.166
Mar 28, 2025 22:14:23.967056990 CET	50212	445	192.168.2.22	112.79.67.193
Mar 28, 2025 22:14:23.967056990 CET	50214	445	192.168.2.22	51.175.168.78
Mar 28, 2025 22:14:24.076102972 CET	50215	445	192.168.2.22	218.187.43.247
Mar 28, 2025 22:14:24.076225996 CET	50216	445	192.168.2.22	94.17.57.2
Mar 28, 2025 22:14:24.076229095 CET	50217	445	192.168.2.22	4.92.249.84
Mar 28, 2025 22:14:24.076307058 CET	50218	445	192.168.2.22	141.148.64.122
Mar 28, 2025 22:14:24.076334000 CET	50219	445	192.168.2.22	90.246.29.34
Mar 28, 2025 22:14:24.091763973 CET	50220	445	192.168.2.22	179.32.8.154
Mar 28, 2025 22:14:24.107135057 CET	50221	445	192.168.2.22	57.213.237.203
Mar 28, 2025 22:14:24.138288021 CET	50223	445	192.168.2.22	104.251.21.99
Mar 28, 2025 22:14:24.185144901 CET	50224	445	192.168.2.22	12.37.17.219
Mar 28, 2025 22:14:24.185237885 CET	50225	445	192.168.2.22	202.246.22.14
Mar 28, 2025 22:14:24.185412884 CET	50226	445	192.168.2.22	223.103.176.6
Mar 28, 2025 22:14:24.200867891 CET	50227	445	192.168.2.22	172.202.65.244
Mar 28, 2025 22:14:24.232249022 CET	50228	445	192.168.2.22	109.99.87.167
Mar 28, 2025 22:14:24.387939930 CET	50232	445	192.168.2.22	208.188.100.246
Mar 28, 2025 22:14:24.388003111 CET	50233	445	192.168.2.22	57.238.236.78
Mar 28, 2025 22:14:24.434962034 CET	50234	445	192.168.2.22	72.157.59.44
Mar 28, 2025 22:14:24.465929985 CET	50235	445	192.168.2.22	51.121.106.166
Mar 28, 2025 22:14:24.606297970 CET	50237	445	192.168.2.22	72.105.18.173
Mar 28, 2025 22:14:24.621917963 CET	50238	445	192.168.2.22	199.33.228.62
Mar 28, 2025 22:14:24.622036934 CET	50239	445	192.168.2.22	146.205.176.228
Mar 28, 2025 22:14:24.668731928 CET	50240	445	192.168.2.22	92.87.35.20
Mar 28, 2025 22:14:24.684511900 CET	50241	445	192.168.2.22	71.94.224.149
Mar 28, 2025 22:14:24.824922085 CET	50244	445	192.168.2.22	104.251.42.133
Mar 28, 2025 22:14:24.825025082 CET	50245	445	192.168.2.22	83.60.138.245
Mar 28, 2025 22:14:24.840290070 CET	50246	445	192.168.2.22	20.205.177.93
Mar 28, 2025 22:14:24.871562958 CET	50247	445	192.168.2.22	8.125.91.29
Mar 28, 2025 22:14:24.934173107 CET	50249	445	192.168.2.22	14.83.1.106
Mar 28, 2025 22:14:24.934319019 CET	50250	445	192.168.2.22	108.144.28.81
Mar 28, 2025 22:14:24.934439898 CET	50252	445	192.168.2.22	144.204.114.52
Mar 28, 2025 22:14:25.090070963 CET	50254	445	192.168.2.22	180.238.106.70
Mar 28, 2025 22:14:25.090143919 CET	50255	445	192.168.2.22	218.156.208.206
Mar 28, 2025 22:14:25.090182066 CET	50256	445	192.168.2.22	72.150.165.208
Mar 28, 2025 22:14:25.199096918 CET	50257	445	192.168.2.22	78.199.144.224
Mar 28, 2025 22:14:25.199256897 CET	50258	445	192.168.2.22	102.225.137.187
Mar 28, 2025 22:14:25.199309111 CET	50259	445	192.168.2.22	78.98.174.211
Mar 28, 2025 22:14:25.199409962 CET	50260	445	192.168.2.22	78.85.4.49
Mar 28, 2025 22:14:25.199477911 CET	50261	445	192.168.2.22	185.22.86.4
Mar 28, 2025 22:14:25.214653969 CET	50262	445	192.168.2.22	62.26.136.198
Mar 28, 2025 22:14:25.236248970 CET	50263	445	192.168.2.22	172.174.65.158
Mar 28, 2025 22:14:25.261471987 CET	50265	445	192.168.2.22	177.96.212.163
Mar 28, 2025 22:14:25.308285952 CET	50267	445	192.168.2.22	204.6.117.192
Mar 28, 2025 22:14:25.308399916 CET	50268	445	192.168.2.22	51.66.26.254
Mar 28, 2025 22:14:25.308459997 CET	50269	445	192.168.2.22	152.168.131.180
Mar 28, 2025 22:14:25.323838949 CET	50270	445	192.168.2.22	137.79.23.114
Mar 28, 2025 22:14:25.355108976 CET	50271	445	192.168.2.22	3.156.204.173
Mar 28, 2025 22:14:25.511071920 CET	50275	445	192.168.2.22	50.122.208.148
Mar 28, 2025 22:14:25.512089968 CET	50276	445	192.168.2.22	160.200.72.130
Mar 28, 2025 22:14:25.557926893 CET	50277	445	192.168.2.22	114.122.239.93
Mar 28, 2025 22:14:25.589173079 CET	50278	445	192.168.2.22	37.215.166.126
Mar 28, 2025 22:14:25.729501009 CET	50281	445	192.168.2.22	138.70.156.211
Mar 28, 2025 22:14:25.745049953 CET	50282	445	192.168.2.22	199.186.74.95
Mar 28, 2025 22:14:25.745090008 CET	50283	445	192.168.2.22	74.194.210.32
Mar 28, 2025 22:14:25.792887926 CET	50284	445	192.168.2.22	183.38.125.196
Mar 28, 2025 22:14:25.807542086 CET	50285	445	192.168.2.22	222.56.42.128
Mar 28, 2025 22:14:25.947992086 CET	50288	445	192.168.2.22	2.67.164.53
Mar 28, 2025 22:14:25.948529959 CET	50289	445	192.168.2.22	27.221.201.142
Mar 28, 2025 22:14:25.963531017 CET	50291	445	192.168.2.22	76.24.245.15
Mar 28, 2025 22:14:25.994997025 CET	50292	445	192.168.2.22	164.188.90.230
Mar 28, 2025 22:14:26.057190895 CET	50294	445	192.168.2.22	102.64.44.90
Mar 28, 2025 22:14:26.057421923 CET	50296	445	192.168.2.22	106.20.173.206
Mar 28, 2025 22:14:26.057549953 CET	50297	445	192.168.2.22	158.23.19.165
Mar 28, 2025 22:14:26.213371992 CET	50299	445	192.168.2.22	64.72.97.103
Mar 28, 2025 22:14:26.213418961 CET	50301	445	192.168.2.22	88.88.35.227
Mar 28, 2025 22:14:26.213445902 CET	50300	445	192.168.2.22	46.43.139.115
Mar 28, 2025 22:14:26.322483063 CET	50303	445	192.168.2.22	161.250.41.119
Mar 28, 2025 22:14:26.322586060 CET	50304	445	192.168.2.22	122.31.112.114
Mar 28, 2025 22:14:26.322707891 CET	50306	445	192.168.2.22	193.119.72.99
Mar 28, 2025 22:14:26.322766066 CET	50305	445	192.168.2.22	120.89.34.53
Mar 28, 2025 22:14:26.322839975 CET	50307	445	192.168.2.22	100.130.241.183
Mar 28, 2025 22:14:26.338035107 CET	50308	445	192.168.2.22	190.44.48.60
Mar 28, 2025 22:14:26.353503942 CET	50309	445	192.168.2.22	201.5.147.129
Mar 28, 2025 22:14:26.384800911 CET	50311	445	192.168.2.22	218.42.160.173
Mar 28, 2025 22:14:26.431577921 CET	50314	445	192.168.2.22	216.103.247.11
Mar 28, 2025 22:14:26.431643963 CET	50315	445	192.168.2.22	200.232.5.60
Mar 28, 2025 22:14:26.431682110 CET	50313	445	192.168.2.22	91.142.77.43
Mar 28, 2025 22:14:26.447117090 CET	50316	445	192.168.2.22	80.202.132.8
Mar 28, 2025 22:14:26.478348017 CET	50317	445	192.168.2.22	223.118.53.100
Mar 28, 2025 22:14:26.634315968 CET	50322	445	192.168.2.22	52.235.251.120
Mar 28, 2025 22:14:26.634444952 CET	50323	445	192.168.2.22	196.200.158.174
Mar 28, 2025 22:14:26.681127071 CET	50324	445	192.168.2.22	76.219.119.33
Mar 28, 2025 22:14:26.712378025 CET	50325	445	192.168.2.22	191.155.73.129
Mar 28, 2025 22:14:26.852777958 CET	50329	445	192.168.2.22	114.86.40.249
Mar 28, 2025 22:14:26.868366003 CET	50330	445	192.168.2.22	114.77.51.125
Mar 28, 2025 22:14:26.868376970 CET	50331	445	192.168.2.22	182.187.117.13
Mar 28, 2025 22:14:26.915199041 CET	50332	445	192.168.2.22	33.171.101.209
Mar 28, 2025 22:14:26.931832075 CET	50333	445	192.168.2.22	3.124.189.30
Mar 28, 2025 22:14:27.071202040 CET	50337	445	192.168.2.22	216.96.141.36
Mar 28, 2025 22:14:27.071516991 CET	50339	445	192.168.2.22	191.198.52.231
Mar 28, 2025 22:14:27.086782932 CET	50340	445	192.168.2.22	44.26.48.158
Mar 28, 2025 22:14:27.180341959 CET	50344	445	192.168.2.22	220.160.74.173
Mar 28, 2025 22:14:27.180486917 CET	50345	445	192.168.2.22	194.228.220.46
Mar 28, 2025 22:14:27.180627108 CET	50347	445	192.168.2.22	89.1.134.73
Mar 28, 2025 22:14:27.336503983 CET	50349	445	192.168.2.22	82.214.226.99
Mar 28, 2025 22:14:27.336503983 CET	50350	445	192.168.2.22	175.118.203.230
Mar 28, 2025 22:14:27.336517096 CET	50351	445	192.168.2.22	69.63.19.94
Mar 28, 2025 22:14:27.445633888 CET	50353	445	192.168.2.22	204.234.225.158
Mar 28, 2025 22:14:27.445637941 CET	50354	445	192.168.2.22	41.203.188.25
Mar 28, 2025 22:14:27.445698977 CET	50355	445	192.168.2.22	21.9.75.14
Mar 28, 2025 22:14:27.445724964 CET	50356	445	192.168.2.22	187.60.112.227
Mar 28, 2025 22:14:27.445784092 CET	50357	445	192.168.2.22	18.13.185.125
Mar 28, 2025 22:14:27.461460114 CET	50358	445	192.168.2.22	41.116.102.50
Mar 28, 2025 22:14:27.476718903 CET	50359	445	192.168.2.22	118.186.161.104
Mar 28, 2025 22:14:27.507862091 CET	50362	445	192.168.2.22	219.232.46.211
Mar 28, 2025 22:14:27.554689884 CET	50364	445	192.168.2.22	36.252.138.242
Mar 28, 2025 22:14:27.554785013 CET	50365	445	192.168.2.22	38.120.130.175
Mar 28, 2025 22:14:27.554785013 CET	50366	445	192.168.2.22	190.191.220.211
Mar 28, 2025 22:14:27.570324898 CET	50367	445	192.168.2.22	128.19.193.213
Mar 28, 2025 22:14:27.601742983 CET	50368	445	192.168.2.22	194.160.98.245
Mar 28, 2025 22:14:27.757482052 CET	50374	445	192.168.2.22	194.147.142.88
Mar 28, 2025 22:14:27.757565022 CET	50375	445	192.168.2.22	8.82.35.33
Mar 28, 2025 22:14:27.804328918 CET	50376	445	192.168.2.22	20.29.5.246
Mar 28, 2025 22:14:27.835599899 CET	50377	445	192.168.2.22	47.58.142.140
Mar 28, 2025 22:14:27.975959063 CET	50382	445	192.168.2.22	46.200.68.119
Mar 28, 2025 22:14:27.991447926 CET	50383	445	192.168.2.22	183.235.162.186
Mar 28, 2025 22:14:27.991641045 CET	50384	445	192.168.2.22	198.28.216.81
Mar 28, 2025 22:14:28.049962044 CET	50385	445	192.168.2.22	131.30.93.170
Mar 28, 2025 22:14:28.053904057 CET	50386	445	192.168.2.22	143.185.116.97
Mar 28, 2025 22:14:28.197324991 CET	50392	445	192.168.2.22	107.88.85.160
Mar 28, 2025 22:14:28.202049971 CET	50393	445	192.168.2.22	175.220.61.126
Mar 28, 2025 22:14:28.210180998 CET	50394	445	192.168.2.22	93.22.56.59
Mar 28, 2025 22:14:28.243211985 CET	50396	445	192.168.2.22	2.192.247.184
Mar 28, 2025 22:14:28.305279016 CET	50398	445	192.168.2.22	219.215.120.65
Mar 28, 2025 22:14:28.305464983 CET	50400	445	192.168.2.22	217.140.69.34
Mar 28, 2025 22:14:28.305521011 CET	50401	445	192.168.2.22	57.158.96.19
Mar 28, 2025 22:14:28.584388018 CET	50404	445	192.168.2.22	117.141.171.30
Mar 28, 2025 22:14:28.599984884 CET	50405	445	192.168.2.22	185.74.7.174
Mar 28, 2025 22:14:28.645924091 CET	50408	445	192.168.2.22	163.220.84.54
Mar 28, 2025 22:14:28.645982981 CET	50409	445	192.168.2.22	80.174.3.149
Mar 28, 2025 22:14:28.646049976 CET	50410	445	192.168.2.22	70.113.196.179
Mar 28, 2025 22:14:28.646631956 CET	50412	445	192.168.2.22	182.87.193.30
Mar 28, 2025 22:14:28.646728039 CET	50413	445	192.168.2.22	126.185.13.228
Mar 28, 2025 22:14:28.646807909 CET	50414	445	192.168.2.22	170.42.38.154
Mar 28, 2025 22:14:28.646891117 CET	50415	445	192.168.2.22	5.204.215.212
Mar 28, 2025 22:14:28.646923065 CET	50416	445	192.168.2.22	65.170.147.234
Mar 28, 2025 22:14:28.688793898 CET	50419	445	192.168.2.22	125.243.60.189
Mar 28, 2025 22:14:28.688865900 CET	50420	445	192.168.2.22	7.59.221.188
Mar 28, 2025 22:14:28.688956022 CET	50421	445	192.168.2.22	5.19.71.212
Mar 28, 2025 22:14:28.694664955 CET	50422	445	192.168.2.22	166.235.162.153
Mar 28, 2025 22:14:28.724889040 CET	50423	445	192.168.2.22	166.171.7.58
Mar 28, 2025 22:14:28.789995909 CET	50426	445	192.168.2.22	119.204.138.174
Mar 28, 2025 22:14:28.880856037 CET	50430	445	192.168.2.22	3.105.208.18
Mar 28, 2025 22:14:28.896408081 CET	50433	445	192.168.2.22	37.89.94.74
Mar 28, 2025 22:14:28.927809954 CET	50435	445	192.168.2.22	91.28.19.136
Mar 28, 2025 22:14:28.958743095 CET	50436	445	192.168.2.22	159.182.182.66
Mar 28, 2025 22:14:29.099195004 CET	50442	445	192.168.2.22	91.75.110.35
Mar 28, 2025 22:14:29.114748955 CET	50443	445	192.168.2.22	106.189.51.238
Mar 28, 2025 22:14:29.114810944 CET	50444	445	192.168.2.22	196.113.17.91
Mar 28, 2025 22:14:29.161601067 CET	50446	445	192.168.2.22	37.163.254.74
Mar 28, 2025 22:14:29.177097082 CET	50448	445	192.168.2.22	149.225.219.72
Mar 28, 2025 22:14:29.317584991 CET	50453	445	192.168.2.22	83.127.145.165
Mar 28, 2025 22:14:29.317703962 CET	50455	445	192.168.2.22	72.119.243.39
Mar 28, 2025 22:14:29.333285093 CET	50457	445	192.168.2.22	15.109.41.140
Mar 28, 2025 22:14:29.364358902 CET	50459	445	192.168.2.22	220.230.99.53
Mar 28, 2025 22:14:29.426714897 CET	50461	445	192.168.2.22	51.246.156.131
Mar 28, 2025 22:14:29.426795006 CET	50462	445	192.168.2.22	223.176.250.208
Mar 28, 2025 22:14:29.426855087 CET	50464	445	192.168.2.22	174.202.66.27
Mar 28, 2025 22:14:29.707740068 CET	50471	445	192.168.2.22	130.82.143.12
Mar 28, 2025 22:14:29.723124027 CET	50472	445	192.168.2.22	48.10.84.62
Mar 28, 2025 22:14:29.754313946 CET	50474	445	192.168.2.22	209.80.251.47
Mar 28, 2025 22:14:29.754420996 CET	50475	445	192.168.2.22	145.75.242.125
Mar 28, 2025 22:14:29.754513025 CET	50476	445	192.168.2.22	91.167.152.5
Mar 28, 2025 22:14:29.769933939 CET	50481	445	192.168.2.22	150.46.94.249
Mar 28, 2025 22:14:29.769937992 CET	50482	445	192.168.2.22	115.80.21.32
Mar 28, 2025 22:14:29.770006895 CET	50483	445	192.168.2.22	165.33.193.37
Mar 28, 2025 22:14:29.770037889 CET	50484	445	192.168.2.22	181.209.132.151
Mar 28, 2025 22:14:29.770107985 CET	50485	445	192.168.2.22	135.67.212.252
Mar 28, 2025 22:14:29.801134109 CET	50487	445	192.168.2.22	205.137.204.58
Mar 28, 2025 22:14:29.801168919 CET	50488	445	192.168.2.22	23.140.6.174
Mar 28, 2025 22:14:29.801249981 CET	50489	445	192.168.2.22	42.230.93.223
Mar 28, 2025 22:14:29.816888094 CET	50490	445	192.168.2.22	14.173.57.169
Mar 28, 2025 22:14:29.847960949 CET	50492	445	192.168.2.22	157.173.245.226
Mar 28, 2025 22:14:29.910542965 CET	50498	445	192.168.2.22	195.82.177.71
Mar 28, 2025 22:14:30.004040003 CET	50501	445	192.168.2.22	186.70.211.214
Mar 28, 2025 22:14:30.019620895 CET	50504	445	192.168.2.22	216.251.158.207
Mar 28, 2025 22:14:30.050709963 CET	50507	445	192.168.2.22	46.176.197.228
Mar 28, 2025 22:14:30.081911087 CET	50509	445	192.168.2.22	192.36.236.145
Mar 28, 2025 22:14:30.222676039 CET	50518	445	192.168.2.22	112.128.196.232
Mar 28, 2025 22:14:30.237914085 CET	50519	445	192.168.2.22	58.211.70.60
Mar 28, 2025 22:14:30.238028049 CET	50520	445	192.168.2.22	92.224.191.117
Mar 28, 2025 22:14:30.284754992 CET	50523	445	192.168.2.22	16.47.227.39
Mar 28, 2025 22:14:30.300293922 CET	50525	445	192.168.2.22	171.176.151.176
Mar 28, 2025 22:14:30.440802097 CET	50535	445	192.168.2.22	52.204.43.17
Mar 28, 2025 22:14:30.440849066 CET	50536	445	192.168.2.22	11.228.141.243
Mar 28, 2025 22:14:30.456329107 CET	50540	445	192.168.2.22	17.91.170.16
Mar 28, 2025 22:14:30.487591028 CET	50543	445	192.168.2.22	118.12.118.193
Mar 28, 2025 22:14:30.550000906 CET	50550	445	192.168.2.22	108.96.243.23
Mar 28, 2025 22:14:30.550005913 CET	50547	445	192.168.2.22	107.83.51.13
Mar 28, 2025 22:14:30.550065041 CET	50548	445	192.168.2.22	48.4.52.42
Mar 28, 2025 22:14:30.830841064 CET	50573	445	192.168.2.22	10.221.8.60
Mar 28, 2025 22:14:30.846326113 CET	50575	445	192.168.2.22	116.130.153.253
Mar 28, 2025 22:14:30.877613068 CET	50582	445	192.168.2.22	23.21.155.227
Mar 28, 2025 22:14:30.877676010 CET	50583	445	192.168.2.22	93.247.152.166
Mar 28, 2025 22:14:30.877890110 CET	50584	445	192.168.2.22	199.70.227.96
Mar 28, 2025 22:14:30.893143892 CET	50587	445	192.168.2.22	116.135.110.189
Mar 28, 2025 22:14:30.893239021 CET	50588	445	192.168.2.22	211.218.118.105
Mar 28, 2025 22:14:30.893399000 CET	50589	445	192.168.2.22	72.102.68.207
Mar 28, 2025 22:14:30.893487930 CET	50590	445	192.168.2.22	222.22.30.2
Mar 28, 2025 22:14:30.893569946 CET	50591	445	192.168.2.22	30.248.18.68
Mar 28, 2025 22:14:30.924290895 CET	50595	445	192.168.2.22	156.220.226.104
Mar 28, 2025 22:14:30.924362898 CET	50596	445	192.168.2.22	216.105.119.245
Mar 28, 2025 22:14:30.924437046 CET	50597	445	192.168.2.22	122.160.235.160
Mar 28, 2025 22:14:30.940538883 CET	50599	445	192.168.2.22	144.135.10.9
Mar 28, 2025 22:14:31.033792019 CET	50608	445	192.168.2.22	206.49.114.153
Mar 28, 2025 22:14:31.094676018 CET	50612	445	192.168.2.22	85.146.194.50
Mar 28, 2025 22:14:31.151335001 CET	50622	445	192.168.2.22	213.44.244.2
Mar 28, 2025 22:14:31.192218065 CET	50624	445	192.168.2.22	93.41.142.83
Mar 28, 2025 22:14:31.192378044 CET	50627	445	192.168.2.22	55.220.240.108
Mar 28, 2025 22:14:31.230926037 CET	50630	445	192.168.2.22	83.92.206.221
Mar 28, 2025 22:14:31.361129999 CET	50637	445	192.168.2.22	158.114.65.85
Mar 28, 2025 22:14:31.555315971 CET	50649	445	192.168.2.22	99.228.158.91
Mar 28, 2025 22:14:31.555403948 CET	50650	445	192.168.2.22	90.252.219.199
Mar 28, 2025 22:14:31.555509090 CET	50652	445	192.168.2.22	77.61.207.41
Mar 28, 2025 22:14:31.555608988 CET	50654	445	192.168.2.22	6.34.34.94
Mar 28, 2025 22:14:31.564456940 CET	50658	445	192.168.2.22	113.231.151.182
Mar 28, 2025 22:14:31.579549074 CET	50662	445	192.168.2.22	72.151.104.17
Mar 28, 2025 22:14:31.673201084 CET	50667	445	192.168.2.22	74.216.57.38
Mar 28, 2025 22:14:31.673448086 CET	50670	445	192.168.2.22	111.165.217.158
Mar 28, 2025 22:14:31.673501968 CET	50669	445	192.168.2.22	169.215.77.25
Mar 28, 2025 22:14:31.715662956 CET	50672	445	192.168.2.22	122.215.71.140
Mar 28, 2025 22:14:31.715899944 CET	50674	445	192.168.2.22	158.59.167.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2025 22:13:26.695034981 CET	54562	53	192.168.2.22	8.8.8.8
Mar 28, 2025 22:13:26.782948971 CET	53	54562	8.8.8.8	192.168.2.22
Mar 28, 2025 22:13:27.565802097 CET	52917	53	192.168.2.22	8.8.8.8
Mar 28, 2025 22:13:27.650319099 CET	53	52917	8.8.8.8	192.168.2.22
Mar 28, 2025 22:15:18.835329056 CET	138	138	192.168.2.22	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2025 22:13:26.695034981 CET	192.168.2.22	8.8.8.8	0x5b7c	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Mar 28, 2025 22:13:27.565802097 CET	192.168.2.22	8.8.8.8	0x3a89	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 28, 2025 22:13:26.782948971 CET	8.8.8.8	192.168.2.22	0x5b7c	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	A (IP address)	IN (0x0001)	false
Mar 28, 2025 22:13:26.782948971 CET	8.8.8.8	192.168.2.22	0x5b7c	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	A (IP address)	IN (0x0001)	false
Mar 28, 2025 22:13:27.650319099 CET	8.8.8.8	192.168.2.22	0x3a89	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	A (IP address)	IN (0x0001)	false
Mar 28, 2025 22:13:27.650319099 CET	8.8.8.8	192.168.2.22	0x3a89	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	104.16.166.228	80	3504	C:\Users\user\Desktop\mssecsvc.exe.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2025 22:13:26.896770954 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Mar 28, 2025 22:13:26.998145103 CET	778	IN	HTTP/1.1 200 OK Date: Fri, 28 Mar 2025 21:13:26 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 927a21a75da023ce-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	104.16.166.228	80	3676	C:\Users\user\Desktop\mssecsvc.exe.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2025 22:13:27.765008926 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Mar 28, 2025 22:13:27.867098093 CET	778	IN	HTTP/1.1 200 OK Date: Fri, 28 Mar 2025 21:13:27 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 927a21accb51f797-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Statistics

Click to jump to process

Memory Usage

• mssecsvc.exe.exe
• mssecsvc.exe.exe
• tasksche.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• mssecsvc.exe.exe
• mssecsvc.exe.exe
• tasksche.exe

Click to jump to process

Target ID:	0
Start time:	17:13:23
Start date:	28/03/2025
Path:	C:\Users\user\Desktop\mssecsvc.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mssecsvc.exe.exe"
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	0C694193CEAC8BFB016491FFB534EB7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.358030594.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.350973560.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.350995207.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.358062507.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:13:25
Start date:	28/03/2025
Path:	C:\Users\user\Desktop\mssecsvc.exe.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\mssecsvc.exe.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	0C694193CEAC8BFB016491FFB534EB7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.493697479.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.355043612.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.355162582.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.493989278.000000000289B000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.493722594.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.493920709.0000000002383000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:13:26
Start date:	28/03/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	7F7CCAA16FB15EB1C7399D422F8363E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.357354210.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.357560055.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mssecsvc.exe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
mssecsvc.exe.exe