Edit tour

Windows Analysis Report
hNgIvHRuTU.dll

Overview

General Information

Sample name:	hNgIvHRuTU.dll renamed because original name is a hash value
Original sample name:	8e6635b3dcb090c8478fc392ca94722e.dll
Analysis ID:	1592050
MD5:	8e6635b3dcb090c8478fc392ca94722e
SHA1:	937ba8b6fa1778a3fcbb3731c114c9364f7170b8
SHA256:	1fc5e4c8809b39d79324848bceac749000ea572d050c81275ae3053a83ba7d12
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3920 cmdline: loaddll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1848 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 3292 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 526B41F0EBCFED2206ED1C567D79D1FD)

rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\hNgIvHRuTU.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3380 cmdline: rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvr.exe (PID: 2380 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 526B41F0EBCFED2206ED1C567D79D1FD)

mssecsvr.exe (PID: 6640 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 526B41F0EBCFED2206ED1C567D79D1FD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hNgIvHRuTU.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
hNgIvHRuTU.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
hNgIvHRuTU.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.2135064930.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2164308144.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2156076914.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.2176853198.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvr.exe PID: 3292	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 6640	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvr.exe PID: 2380	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvr.exe.1d7f128.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.1d7f128.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
9.0.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
5.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d4d084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.22a596c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.22a596c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22a596c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22a596c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.22a596c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xe8d8:$x3: tasksche.exe 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xe92c:$x5: WNcry@2ol7 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xe82c:$s3: cmd.exe /c "%s"
7.2.mssecsvr.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22738c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d7f128.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d7f128.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
7.2.mssecsvr.exe.1d7f128.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
5.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.0.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d5c104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d5c104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d5c104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d5c104.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry
9.2.mssecsvr.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.2282948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.2282948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.2282948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.2282948.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.22738c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.22738c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.22738c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.1d4d084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d4d084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.1d4d084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.0.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.mssecsvr.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.mssecsvr.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.mssecsvr.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d5c104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d5c104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d5c104.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.1d580a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.1d580a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.1d580a4.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.2282948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.2282948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.2282948.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvr.exe.227e8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvr.exe.227e8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
7.2.mssecsvr.exe.227e8e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 87 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:47:09.680654+0100	2803304	3	Unknown Traffic	192.168.2.5	49717	103.224.212.215	80	TCP
2025-01-15T17:47:11.364702+0100	2803304	3	Unknown Traffic	192.168.2.5	49720	103.224.212.215	80	TCP

ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:47:08.760608+0100	2830018	1	A Network Trojan was detected	192.168.2.5	65478	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hNgIvHRuTU.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//i	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231ad	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650e	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650efc	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 85%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 85%

Multi AV Scanner detection for submitted file

Source: hNgIvHRuTU.dll	Virustotal: Detection: 93%			Perma Link
Source: hNgIvHRuTU.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hNgIvHRuTU.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: hNgIvHRuTU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49931 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50638 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50639 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50641 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.5:65478 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-119b-90f6-837dd48231ad HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959629.6434080
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-12c5-b838-b08634650efc HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=16b7b141-0abf-4f9e-8c4f-1c3090e5ffce

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49717 -> 103.224.212.215:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49720 -> 103.224.212.215:80

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49931 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.133
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-119b-90f6-837dd48231ad HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959629.6434080
Source: global traffic	HTTP traffic detected: GET /?subid1=20250116-0347-12c5-b838-b08634650efc HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=16b7b141-0abf-4f9e-8c4f-1c3090e5ffce

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: mssecsvr.exe, 00000005.00000002.2168698777.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsoLF
Source: mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//i
Source: mssecsvr.exe, 00000005.00000002.2168698777.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000005.00000002.2168698777.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8
Source: mssecsvr.exe, 00000007.00000002.2802700197.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2802700197.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231
Source: mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650e
Source: mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s
Source: hNgIvHRuTU.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000005.00000002.2168698777.000000000097E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2168698777.0000000000966000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S
Source: mssecsvr.exe, 00000007.00000002.2802057332.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc
Source: mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgsohB&
Source: mssecsvr.exe, 00000009.00000002.2177448708.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comyC

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50638
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50639
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 50283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 50641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50641
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50640
Source: unknown	Network traffic detected: HTTP traffic on port 50373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50640 -> 443

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50638 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50639 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50640 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50641 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: hNgIvHRuTU.dll, type: SAMPLE
Source: Yara match	File source: 7.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d7f128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d4d084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d5c104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.1d580a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.2282948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvr.exe.227e8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.2135064930.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2164308144.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2156076914.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2176853198.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 6640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvr.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: hNgIvHRuTU.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: hNgIvHRuTU.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d7f128.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d7f128.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d4d084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d7f128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d7f128.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.1d4d084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d4d084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d5c104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d5c104.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.1d580a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.1d580a4.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.2282948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.2282948.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvr.exe.227e8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvr.exe.227e8e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: hNgIvHRuTU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: hNgIvHRuTU.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: hNgIvHRuTU.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d7f128.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d7f128.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d4d084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d7f128.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d7f128.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d5c104.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.2282948.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.1d4d084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d4d084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d5c104.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d5c104.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.1d580a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.1d580a4.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.2282948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.2282948.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvr.exe.227e8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvr.exe.227e8e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: tasksche.exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.5.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.5.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: hNgIvHRuTU.dll, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100

Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		5_2_00407C40
Source: C:\Windows\mssecsvr.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		7_2_00407C40

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvr.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvr.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_03

Source: hNgIvHRuTU.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hNgIvHRuTU.dll,PlayGame

Source: hNgIvHRuTU.dll	Virustotal: Detection: 93%
Source: hNgIvHRuTU.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hNgIvHRuTU.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hNgIvHRuTU.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: hNgIvHRuTU.dll

Static file information: File size 5267459 > 1048576

Source: hNgIvHRuTU.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: tasksche.exe.5.dr

Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvr.exe

Jump to behavior

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvr.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvr.exe	Dropped PE file which has not been started: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvr.exe TID: 5816	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5816	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6336	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 6336	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 5816	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvr.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvr.exe, 00000005.00000002.2168698777.0000000000997000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2168698777.0000000000966000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2802700197.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hNgIvHRuTU.dll	93%	Virustotal		Browse
hNgIvHRuTU.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
hNgIvHRuTU.dll	100%	Avira	TR/AD.DPulsarShellcode.fqgnr
hNgIvHRuTU.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	86%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	86%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//i	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231ad	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650e	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comyC	0%	Avira URL Cloud	safe
http://ww25.iuqerfsoLF	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgsohB&	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650efc	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
77026.bodis.com	199.59.243.228	true	false	high
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	high
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231ad	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650efc	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650e	mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	hNgIvHRuTU.dll	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com//i	mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s	mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8	mssecsvr.exe, 00000005.00000002.2168698777.0000000000966000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsoLF	mssecsvr.exe, 00000005.00000002.2168698777.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231	mssecsvr.exe, 00000007.00000002.2802700197.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2802700197.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	mssecsvr.exe, 00000007.00000002.2802057332.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comyC	mssecsvr.exe, 00000009.00000002.2177448708.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgsohB&	mssecsvr.exe, 00000007.00000002.2802700197.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comc	mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/S	mssecsvr.exe, 00000009.00000002.2177448708.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw	mssecsvr.exe, 00000005.00000002.2168698777.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
101.5.197.1	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
78.130.181.2	unknown	Bulgaria	9070	COOOLBOXBG	false
78.130.181.1	unknown	Bulgaria	9070	COOOLBOXBG	false
101.5.197.2	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
35.81.47.1	unknown	United States	237	MERIT-AS-14US	false
13.229.164.1	unknown	United States	16509	AMAZON-02US	false
13.229.164.2	unknown	United States	16509	AMAZON-02US	false
25.38.30.167	unknown	United Kingdom	7922	COMCAST-7922US	false
31.52.246.6	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
31.52.246.1	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
35.81.47.184	unknown	United States	237	MERIT-AS-14US	false
41.240.115.2	unknown	Sudan	36998	SDN-MOBITELSD	false
41.240.115.1	unknown	Sudan	36998	SDN-MOBITELSD	false
126.75.17.59	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
2.139.197.109	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
129.17.117.58	unknown	United States	2841	CHALMERSSE	false
218.112.212.165	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
13.229.164.57	unknown	United States	16509	AMAZON-02US	false
116.101.184.130	unknown	Viet Nam	24086	VIETTEL-AS-VNViettelCorporationVN	false
129.17.117.1	unknown	United States	2841	CHALMERSSE	false
144.29.150.72	unknown	United States	26258	BASF-CORPUS	false
208.140.179.1	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
208.140.179.2	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592050
Start date and time:	2025-01-15 17:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hNgIvHRuTU.dll renamed because original name is a hash value
Original Sample Name:	8e6635b3dcb090c8478fc392ca94722e.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@18/2@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.126.31.67, 40.126.31.71, 20.190.159.64, 20.190.159.0, 20.190.159.68, 20.190.159.75, 20.190.159.4, 20.190.159.71, 2.23.77.188, 199.232.214.172, 184.30.131.245, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:47:10	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:47:45	API Interceptor	112x Sleep call for process: mssecsvr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	199.59.243.228
bg.microsoft.map.fastly.net	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	199.232.214.172
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61f	Get hash	malicious	Unknown	Browse	199.232.214.172
	Sample1.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	RFQ # PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	21033090848109083.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclG	Get hash	malicious	Unknown	Browse	199.232.214.172
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	199.232.210.172
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	Gn8CvJE07O.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	mLm1d1GV4R.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	hVgcaX2SV8.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	D3W41IdtQA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215
	F1G5BkUV74.dll	Get hash	malicious	Wannacry	Browse	103.224.212.215

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	bot.x86.elf	Get hash	malicious	Unknown	Browse	211.64.121.81
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	49.52.78.27
	JRTn7b1kHg.dll	Get hash	malicious	Wannacry	Browse	210.39.38.201
	arm5.elf	Get hash	malicious	Mirai	Browse	49.122.176.54
	i486.elf	Get hash	malicious	Mirai	Browse	219.245.251.243
	xd.arm.elf	Get hash	malicious	Mirai	Browse	218.193.82.69
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	222.200.203.195
	sh4.elf	Get hash	malicious	Mirai	Browse	125.219.170.30
	arm4.elf	Get hash	malicious	Mirai	Browse	211.81.11.203
	x86_64.elf	Get hash	malicious	Mirai	Browse	202.202.204.242
COOOLBOXBG	res.x86.elf	Get hash	malicious	Unknown	Browse	78.130.235.19
	i686.elf	Get hash	malicious	Mirai	Browse	78.130.224.140
	jklspc.elf	Get hash	malicious	Unknown	Browse	89.25.106.40
	nklspc.elf	Get hash	malicious	Unknown	Browse	89.25.106.96
	nshkppc.elf	Get hash	malicious	Mirai	Browse	89.25.106.83
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	89.25.110.124
	jew.arm.elf	Get hash	malicious	Unknown	Browse	87.118.186.92
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	78.130.211.86
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	78.130.235.71
	sh4.elf	Get hash	malicious	Unknown	Browse	94.155.240.169
COOOLBOXBG	res.x86.elf	Get hash	malicious	Unknown	Browse	78.130.235.19
	i686.elf	Get hash	malicious	Mirai	Browse	78.130.224.140
	jklspc.elf	Get hash	malicious	Unknown	Browse	89.25.106.40
	nklspc.elf	Get hash	malicious	Unknown	Browse	89.25.106.96
	nshkppc.elf	Get hash	malicious	Mirai	Browse	89.25.106.83
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	89.25.110.124
	jew.arm.elf	Get hash	malicious	Unknown	Browse	87.118.186.92
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	78.130.211.86
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	78.130.235.71
	sh4.elf	Get hash	malicious	Unknown	Browse	94.155.240.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	23.1.237.91
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://reviewpolicysocialreach.vercel.app/help&z/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
3b5074b1b5d032e5620f69f9f700ff0e	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	40.115.3.253
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Updater.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Updater.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	40.115.3.253
	https://pub-2d00d32ff6d84ef6999828eaf509b772.r2.dev/index.html#watson.becky@aidb.org	Get hash	malicious	HTMLPhisher	Browse	40.115.3.253
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	4.746672560135426
Encrypted:	false
SSDEEP:	12288:nti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFGeXE3Ty:tihdmMSirYbcMNgef0QeQjG/D8kI
MD5:	52AA9FB068FDAC0FCA843445F6307EB1
SHA1:	FA23F0832161F16C71EDC22C29F3EF0778984C7D
SHA-256:	AF0F8D57126E3588D7C846CB326A71DF2CADD861A88FBFFDA0DBC992C509552C
SHA-512:	B512E0A21D222418E39DF683DBCB1D8E74E98F07991C87B4C520AEF2288DA33166A9018A33141350076311840B3573E633938E754CB8772DE4D6C185C01B6E6C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 86%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	4.746672560135426
Encrypted:	false
SSDEEP:	12288:nti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFGeXE3Ty:tihdmMSirYbcMNgef0QeQjG/D8kI
MD5:	52AA9FB068FDAC0FCA843445F6307EB1
SHA1:	FA23F0832161F16C71EDC22C29F3EF0778984C7D
SHA-256:	AF0F8D57126E3588D7C846CB326A71DF2CADD861A88FBFFDA0DBC992C509552C
SHA-512:	B512E0A21D222418E39DF683DBCB1D8E74E98F07991C87B4C520AEF2288DA33166A9018A33141350076311840B3573E633938E754CB8772DE4D6C185C01B6E6C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.4405660616262628
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hNgIvHRuTU.dll
File size:	5'267'459 bytes
MD5:	8e6635b3dcb090c8478fc392ca94722e
SHA1:	937ba8b6fa1778a3fcbb3731c114c9364f7170b8
SHA256:	1fc5e4c8809b39d79324848bceac749000ea572d050c81275ae3053a83ba7d12
SHA512:	ccb266c561bc4d39007625f942863516d57a6e2097105281d38ab1598b126b11f2b7213666a8e231719d6f2cb6a16cdc6cdd626d204c99319da4f27b43431d20
SSDEEP:	24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kI:RnnMSPbcBVQej/
TLSH:	BA36239A75AC51F8D21A3274A4774B26A1B73C6D31BD9B0F9B808A211C03B91FB54F63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F7AE48339EBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F7AE4833A08h
cmp esi, 01h
je 00007F7AE48339E7h
cmp esi, 02h
jne 00007F7AE4833A04h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F7AE48339EBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F7AE48339EEh
push edi
push esi
push ebx
call 00007F7AE48338FAh
test eax, eax
jne 00007F7AE48339E6h
xor eax, eax
jmp 00007F7AE4833A30h
push edi
push esi
push ebx
call 00007F7AE48337ACh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F7AE48339EEh
test eax, eax
jne 00007F7AE4833A19h
push edi
push eax
push ebx
call 00007F7AE48338D6h
test esi, esi
je 00007F7AE48339E7h
cmp esi, 03h
jne 00007F7AE4833A08h
push edi
push esi
push ebx
call 00007F7AE48338C5h
test eax, eax
jne 00007F7AE48339E5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F7AE48339F3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F7AE48339EAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	9b27c3f254416f775f5a51102ef8fb84	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085726967663312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	6f52f32d0ed35f249bab626131943177	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8791799545288086

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T17:47:08.760608+0100	2830018	ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	1	192.168.2.5	65478	1.1.1.1	53	UDP
2025-01-15T17:47:09.680654+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49717	103.224.212.215	80	TCP
2025-01-15T17:47:11.364702+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49720	103.224.212.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:47:02.391900063 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.391930103 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.391938925 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.391946077 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.391954899 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392117023 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.392160892 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392219067 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.392236948 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392249107 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392261028 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392297983 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.392692089 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392713070 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392724037 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392730951 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.392750978 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.392777920 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.393354893 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.393368006 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.393412113 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.396961927 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.396984100 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.397012949 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.452544928 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.478621006 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.478637934 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.478841066 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.527669907 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.527709007 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:02.532601118 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.532628059 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.532697916 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:02.532706976 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.171241045 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:03.171241045 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:03.177598000 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177615881 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177628040 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177640915 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177678108 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.177711964 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.177834034 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177897930 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177908897 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177921057 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177932024 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.177942991 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.177968025 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.178750038 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.178762913 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.178802013 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.199673891 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.199739933 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.204545975 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.204560041 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.204672098 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.204680920 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.297979116 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:03.692935944 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.692965984 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.692976952 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.692986012 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693000078 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693010092 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693018913 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693030119 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693037987 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.693079948 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.693598032 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693608046 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693617105 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693624973 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.693651915 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.693667889 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.721461058 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.721523046 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:03.726366043 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.726377964 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.726428032 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.726438046 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:03.726558924 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104610920 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104645014 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104655981 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104729891 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:04.104813099 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104845047 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104856968 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104867935 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104885101 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.104907036 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:04.104933023 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:04.104947090 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:04.105679035 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.105727911 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:47:04.105772972 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:47:04.413244009 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:04.413301945 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:04.413399935 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:04.414098024 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:04.414112091 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.223386049 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.223507881 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.226553917 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.226563931 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.227498055 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.228554964 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.228609085 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.228831053 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.228832960 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.275330067 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.636130095 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.636225939 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:05.636389017 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.636461973 CET	49712	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:05.636482954 CET	443	49712	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.077476025 CET	49717	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:09.082539082 CET	80	49717	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:09.082640886 CET	49717	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:09.082789898 CET	49717	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:09.087589025 CET	80	49717	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:09.138021946 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.138053894 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.138142109 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.138907909 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.138925076 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.680531025 CET	80	49717	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:09.680553913 CET	80	49717	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:09.680654049 CET	49717	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:09.684052944 CET	49717	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:09.688853979 CET	80	49717	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:09.935138941 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.935230017 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.941282988 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.941313028 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.942051888 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.943202972 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.943387985 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.943398952 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:09.943491936 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:09.987339020 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:10.018801928 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.023631096 CET	80	49719	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:10.023731947 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.023938894 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.028892994 CET	80	49719	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:10.113739014 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:10.113961935 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:10.114022970 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:10.114120960 CET	49718	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:10.114136934 CET	443	49718	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:10.521435976 CET	80	49719	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:10.521452904 CET	80	49719	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:10.521622896 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.530143023 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.530167103 CET	49719	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:10.765713930 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:10.770613909 CET	80	49720	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:10.770695925 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:10.770787954 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:10.776273012 CET	80	49720	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.364633083 CET	80	49720	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.364701986 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.364732027 CET	80	49720	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.364779949 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.368694067 CET	49720	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.370827913 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.374773979 CET	80	49720	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.376844883 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:11.376930952 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.377120018 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.384500980 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:11.610800982 CET	49722	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.615633011 CET	80	49722	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.615701914 CET	49722	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.615814924 CET	49722	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:11.620604038 CET	80	49722	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:11.840775013 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:11.840790987 CET	80	49721	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:11.840856075 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.847928047 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.847966909 CET	49721	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:11.885294914 CET	49723	445	192.168.2.5	65.166.2.92
Jan 15, 2025 17:47:11.890172005 CET	445	49723	65.166.2.92	192.168.2.5
Jan 15, 2025 17:47:11.890275955 CET	49723	445	192.168.2.5	65.166.2.92
Jan 15, 2025 17:47:11.890973091 CET	49723	445	192.168.2.5	65.166.2.92
Jan 15, 2025 17:47:11.891165972 CET	49724	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.896019936 CET	445	49724	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:11.896032095 CET	445	49723	65.166.2.92	192.168.2.5
Jan 15, 2025 17:47:11.896101952 CET	49723	445	192.168.2.5	65.166.2.92
Jan 15, 2025 17:47:11.896114111 CET	49724	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.896189928 CET	49724	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.900865078 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.901304960 CET	445	49724	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:11.901371002 CET	49724	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.905769110 CET	445	49726	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:11.905873060 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.905956984 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:11.910712957 CET	445	49726	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:12.209203959 CET	80	49722	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:12.209218979 CET	80	49722	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:12.209297895 CET	49722	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:12.210681915 CET	49722	80	192.168.2.5	103.224.212.215
Jan 15, 2025 17:47:12.211540937 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.215526104 CET	80	49722	103.224.212.215	192.168.2.5
Jan 15, 2025 17:47:12.216383934 CET	80	49734	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:12.217777967 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.217854023 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.222631931 CET	80	49734	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:12.369935989 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:12.369970083 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:12.370059967 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:12.370498896 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:12.370511055 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:12.675833941 CET	80	49734	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:12.675851107 CET	80	49734	199.59.243.228	192.168.2.5
Jan 15, 2025 17:47:12.675928116 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.679147005 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.679172993 CET	49734	80	192.168.2.5	199.59.243.228
Jan 15, 2025 17:47:12.780531883 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:12.780544996 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:12.905553102 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:13.181185961 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.181272030 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.201366901 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.201385021 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.201773882 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.216327906 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.226475000 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.226483107 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.229710102 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.271341085 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.422638893 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.423782110 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.423799992 CET	443	49737	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:13.423829079 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.423855066 CET	49737	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:13.891406059 CET	49750	445	192.168.2.5	194.183.238.88
Jan 15, 2025 17:47:13.896301031 CET	445	49750	194.183.238.88	192.168.2.5
Jan 15, 2025 17:47:13.896373987 CET	49750	445	192.168.2.5	194.183.238.88
Jan 15, 2025 17:47:13.896414042 CET	49750	445	192.168.2.5	194.183.238.88
Jan 15, 2025 17:47:13.896749973 CET	49751	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.901582956 CET	445	49751	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:13.901637077 CET	49751	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.901647091 CET	445	49750	194.183.238.88	192.168.2.5
Jan 15, 2025 17:47:13.901710033 CET	49750	445	192.168.2.5	194.183.238.88
Jan 15, 2025 17:47:13.901798964 CET	49751	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.902903080 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.906616926 CET	445	49751	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:13.906663895 CET	49751	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.907665968 CET	445	49752	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:13.907962084 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.907962084 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:13.912722111 CET	445	49752	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:14.571979046 CET	443	49708	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:14.572113037 CET	49708	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:15.907305002 CET	49775	445	192.168.2.5	25.38.30.167
Jan 15, 2025 17:47:15.912158966 CET	445	49775	25.38.30.167	192.168.2.5
Jan 15, 2025 17:47:15.912229061 CET	49775	445	192.168.2.5	25.38.30.167
Jan 15, 2025 17:47:15.912261009 CET	49775	445	192.168.2.5	25.38.30.167
Jan 15, 2025 17:47:15.912477016 CET	49776	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.917325974 CET	445	49775	25.38.30.167	192.168.2.5
Jan 15, 2025 17:47:15.917340040 CET	445	49776	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:15.917393923 CET	49775	445	192.168.2.5	25.38.30.167
Jan 15, 2025 17:47:15.917437077 CET	49776	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.917490005 CET	49776	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.918410063 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.922420979 CET	445	49776	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:15.922470093 CET	49776	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.923202991 CET	445	49777	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:15.923263073 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.923322916 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:15.928045034 CET	445	49777	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:17.922538042 CET	49801	445	192.168.2.5	218.112.212.165
Jan 15, 2025 17:47:17.927375078 CET	445	49801	218.112.212.165	192.168.2.5
Jan 15, 2025 17:47:17.927453041 CET	49801	445	192.168.2.5	218.112.212.165
Jan 15, 2025 17:47:17.927485943 CET	49801	445	192.168.2.5	218.112.212.165
Jan 15, 2025 17:47:17.927628040 CET	49802	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.932384968 CET	445	49801	218.112.212.165	192.168.2.5
Jan 15, 2025 17:47:17.932445049 CET	49801	445	192.168.2.5	218.112.212.165
Jan 15, 2025 17:47:17.932451010 CET	445	49802	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:17.932514906 CET	49802	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.932570934 CET	49802	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.933593988 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.937546015 CET	445	49802	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:17.937616110 CET	49802	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.938338995 CET	445	49803	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:17.938396931 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.938441992 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:17.943192959 CET	445	49803	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:18.471529961 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:18.471595049 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:18.471677065 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:18.472507954 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:18.472532988 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.266696930 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.266803026 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.274992943 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.275017023 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.275218010 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.276196003 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.276263952 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.276271105 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.276345968 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.319325924 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.456830978 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.456924915 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.457050085 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.457298994 CET	49813	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:19.457319975 CET	443	49813	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:19.938040972 CET	49840	445	192.168.2.5	77.53.16.112
Jan 15, 2025 17:47:19.942945957 CET	445	49840	77.53.16.112	192.168.2.5
Jan 15, 2025 17:47:19.943026066 CET	49840	445	192.168.2.5	77.53.16.112
Jan 15, 2025 17:47:19.943069935 CET	49840	445	192.168.2.5	77.53.16.112
Jan 15, 2025 17:47:19.943253040 CET	49841	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.948043108 CET	445	49841	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:19.948148012 CET	49841	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.948148012 CET	49841	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.948159933 CET	445	49840	77.53.16.112	192.168.2.5
Jan 15, 2025 17:47:19.948220015 CET	49840	445	192.168.2.5	77.53.16.112
Jan 15, 2025 17:47:19.949018955 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.953816891 CET	445	49842	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:19.953891993 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.953903913 CET	445	49841	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:19.953965902 CET	49841	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.954051971 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:19.958806038 CET	445	49842	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:21.957031012 CET	49875	445	192.168.2.5	13.229.164.57
Jan 15, 2025 17:47:21.961947918 CET	445	49875	13.229.164.57	192.168.2.5
Jan 15, 2025 17:47:21.962064028 CET	49875	445	192.168.2.5	13.229.164.57
Jan 15, 2025 17:47:21.965611935 CET	49875	445	192.168.2.5	13.229.164.57
Jan 15, 2025 17:47:21.965755939 CET	49876	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.970515013 CET	445	49875	13.229.164.57	192.168.2.5
Jan 15, 2025 17:47:21.970554113 CET	445	49876	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:21.970591068 CET	49875	445	192.168.2.5	13.229.164.57
Jan 15, 2025 17:47:21.970640898 CET	49876	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.970685959 CET	49876	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.975403070 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.975538969 CET	445	49876	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:21.975656033 CET	445	49876	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:21.975717068 CET	49876	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.980293989 CET	445	49877	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:21.980369091 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.980448961 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:21.985328913 CET	445	49877	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:22.210112095 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:22.210154057 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:22.210231066 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:22.211081982 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:22.211098909 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.045561075 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.045659065 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.047173023 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.047183990 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.047396898 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.048934937 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.048991919 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.048998117 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.049108028 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.095338106 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.223886013 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.224031925 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.224247932 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.224524021 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.224533081 CET	443	49885	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:23.224550962 CET	49885	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:23.968342066 CET	49917	445	192.168.2.5	101.5.197.177
Jan 15, 2025 17:47:23.973191977 CET	445	49917	101.5.197.177	192.168.2.5
Jan 15, 2025 17:47:23.973283052 CET	49917	445	192.168.2.5	101.5.197.177
Jan 15, 2025 17:47:23.973335028 CET	49917	445	192.168.2.5	101.5.197.177
Jan 15, 2025 17:47:23.973458052 CET	49918	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.978246927 CET	445	49917	101.5.197.177	192.168.2.5
Jan 15, 2025 17:47:23.978305101 CET	49917	445	192.168.2.5	101.5.197.177
Jan 15, 2025 17:47:23.978382111 CET	445	49918	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:23.979129076 CET	49918	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.979190111 CET	49918	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.979393005 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.984117031 CET	445	49918	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:23.984220028 CET	49918	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.984289885 CET	445	49919	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:23.984529972 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.984568119 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:23.989379883 CET	445	49919	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:24.782385111 CET	49708	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:24.782460928 CET	49708	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:24.782934904 CET	49931	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:24.782953978 CET	443	49931	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:24.783052921 CET	49931	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:24.783298016 CET	49931	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:24.783310890 CET	443	49931	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:24.787138939 CET	443	49708	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:24.787167072 CET	443	49708	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:25.361450911 CET	443	49931	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:25.361556053 CET	49931	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:25.984050989 CET	49950	445	192.168.2.5	41.240.115.69
Jan 15, 2025 17:47:25.989061117 CET	445	49950	41.240.115.69	192.168.2.5
Jan 15, 2025 17:47:25.989154100 CET	49950	445	192.168.2.5	41.240.115.69
Jan 15, 2025 17:47:25.989154100 CET	49950	445	192.168.2.5	41.240.115.69
Jan 15, 2025 17:47:25.989279985 CET	49951	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.994110107 CET	445	49951	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:25.994180918 CET	49951	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.994216919 CET	49951	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.994234085 CET	445	49950	41.240.115.69	192.168.2.5
Jan 15, 2025 17:47:25.994324923 CET	49950	445	192.168.2.5	41.240.115.69
Jan 15, 2025 17:47:25.994515896 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.999169111 CET	445	49951	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:25.999228001 CET	49951	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.999387980 CET	445	49952	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:25.999465942 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:25.999536991 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:26.004461050 CET	445	49952	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:27.999962091 CET	49988	445	192.168.2.5	208.140.179.55
Jan 15, 2025 17:47:28.004776001 CET	445	49988	208.140.179.55	192.168.2.5
Jan 15, 2025 17:47:28.004869938 CET	49988	445	192.168.2.5	208.140.179.55
Jan 15, 2025 17:47:28.004971027 CET	49988	445	192.168.2.5	208.140.179.55
Jan 15, 2025 17:47:28.005160093 CET	49989	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.009922028 CET	445	49989	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:28.010005951 CET	49989	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.010313034 CET	49989	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.010437012 CET	445	49988	208.140.179.55	192.168.2.5
Jan 15, 2025 17:47:28.010492086 CET	49988	445	192.168.2.5	208.140.179.55
Jan 15, 2025 17:47:28.010807037 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.015084028 CET	445	49989	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:28.015158892 CET	49989	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.015605927 CET	445	49990	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:28.015688896 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.015759945 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:28.020524025 CET	445	49990	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:30.016364098 CET	50028	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.021465063 CET	445	50028	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:30.024796963 CET	50028	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.025895119 CET	50028	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.026086092 CET	50029	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.030908108 CET	445	50028	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:30.031037092 CET	445	50029	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:30.031131029 CET	50029	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.031155109 CET	50028	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.031217098 CET	50029	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.031588078 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.036286116 CET	445	50029	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:30.036426067 CET	445	50030	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:30.036508083 CET	50029	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.036533117 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.036597967 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:30.041338921 CET	445	50030	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:32.019128084 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.019164085 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.019256115 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.020013094 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.020025015 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.034245014 CET	50064	445	192.168.2.5	2.6.237.39
Jan 15, 2025 17:47:32.038975954 CET	445	50064	2.6.237.39	192.168.2.5
Jan 15, 2025 17:47:32.039071083 CET	50064	445	192.168.2.5	2.6.237.39
Jan 15, 2025 17:47:32.039088964 CET	50064	445	192.168.2.5	2.6.237.39
Jan 15, 2025 17:47:32.039333105 CET	50065	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.044126987 CET	445	50064	2.6.237.39	192.168.2.5
Jan 15, 2025 17:47:32.044137955 CET	445	50065	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:32.044310093 CET	50064	445	192.168.2.5	2.6.237.39
Jan 15, 2025 17:47:32.044451952 CET	50065	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.044451952 CET	50065	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.044738054 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.049371004 CET	445	50065	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:32.049504995 CET	445	50066	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:32.049524069 CET	50065	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.049575090 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.049602985 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:32.054344893 CET	445	50066	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:32.821424961 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.821547985 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.824069023 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.824080944 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.824281931 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.825752974 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.825834036 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.825839996 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.825969934 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:32.871330023 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.999627113 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.999782085 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:32.999866962 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:33.000775099 CET	50063	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:33.000785112 CET	443	50063	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:33.267127991 CET	445	49726	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:33.267201900 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:33.267244101 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:33.267374039 CET	49726	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:33.272080898 CET	445	49726	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:33.272150040 CET	445	49726	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:34.047164917 CET	50099	445	192.168.2.5	126.122.68.113
Jan 15, 2025 17:47:34.051969051 CET	445	50099	126.122.68.113	192.168.2.5
Jan 15, 2025 17:47:34.052050114 CET	50099	445	192.168.2.5	126.122.68.113
Jan 15, 2025 17:47:34.052120924 CET	50099	445	192.168.2.5	126.122.68.113
Jan 15, 2025 17:47:34.052294970 CET	50101	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.057117939 CET	445	50099	126.122.68.113	192.168.2.5
Jan 15, 2025 17:47:34.057127953 CET	445	50101	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:34.057179928 CET	50099	445	192.168.2.5	126.122.68.113
Jan 15, 2025 17:47:34.057216883 CET	50101	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.057302952 CET	50101	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.057657003 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.062216997 CET	445	50101	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:34.062273026 CET	50101	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.062684059 CET	445	50102	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:34.062764883 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.062818050 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:34.067754030 CET	445	50102	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:35.316050053 CET	445	49752	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:35.316148996 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:35.316215038 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:35.316299915 CET	49752	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:35.320919037 CET	445	49752	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:35.321049929 CET	445	49752	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:36.062295914 CET	50136	445	192.168.2.5	40.64.79.69
Jan 15, 2025 17:47:36.067137003 CET	445	50136	40.64.79.69	192.168.2.5
Jan 15, 2025 17:47:36.067203999 CET	50136	445	192.168.2.5	40.64.79.69
Jan 15, 2025 17:47:36.067272902 CET	50136	445	192.168.2.5	40.64.79.69
Jan 15, 2025 17:47:36.067361116 CET	50137	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.072103977 CET	445	50137	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:36.072163105 CET	50137	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.072200060 CET	50137	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.072412968 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.072597027 CET	445	50136	40.64.79.69	192.168.2.5
Jan 15, 2025 17:47:36.072652102 CET	50136	445	192.168.2.5	40.64.79.69
Jan 15, 2025 17:47:36.077061892 CET	445	50137	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:36.077116013 CET	50137	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.077156067 CET	445	50138	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:36.077217102 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.077251911 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:36.082057953 CET	445	50138	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:36.296832085 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:36.301667929 CET	445	50141	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:36.301753044 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:36.302697897 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:36.307446957 CET	445	50141	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:37.300534010 CET	445	49777	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:37.300597906 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:37.300698996 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:37.300803900 CET	49777	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:37.305434942 CET	445	49777	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:37.305495977 CET	445	49777	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:38.078346968 CET	50159	445	192.168.2.5	55.191.105.244
Jan 15, 2025 17:47:38.083338022 CET	445	50159	55.191.105.244	192.168.2.5
Jan 15, 2025 17:47:38.083482981 CET	50159	445	192.168.2.5	55.191.105.244
Jan 15, 2025 17:47:38.083594084 CET	50159	445	192.168.2.5	55.191.105.244
Jan 15, 2025 17:47:38.083873034 CET	50160	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.088735104 CET	445	50160	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:38.088783979 CET	445	50159	55.191.105.244	192.168.2.5
Jan 15, 2025 17:47:38.088879108 CET	50159	445	192.168.2.5	55.191.105.244
Jan 15, 2025 17:47:38.088924885 CET	50160	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.088924885 CET	50160	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.089359999 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.093836069 CET	445	50160	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:38.093894958 CET	50160	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.094168901 CET	445	50161	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:38.094233036 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.094257116 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:38.099046946 CET	445	50161	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:38.327780962 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:38.332612038 CET	445	50163	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:38.332724094 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:38.332762957 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:38.337610006 CET	445	50163	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:39.345009089 CET	445	49803	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:39.345078945 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:39.345139980 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:39.345196009 CET	49803	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:39.349994898 CET	445	49803	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:39.350008965 CET	445	49803	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:39.865155935 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:39.865185022 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:39.865263939 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:39.865705967 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:39.865730047 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.093592882 CET	50175	445	192.168.2.5	33.180.119.81
Jan 15, 2025 17:47:40.099066019 CET	445	50175	33.180.119.81	192.168.2.5
Jan 15, 2025 17:47:40.099144936 CET	50175	445	192.168.2.5	33.180.119.81
Jan 15, 2025 17:47:40.099219084 CET	50175	445	192.168.2.5	33.180.119.81
Jan 15, 2025 17:47:40.099428892 CET	50176	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.104068995 CET	445	50175	33.180.119.81	192.168.2.5
Jan 15, 2025 17:47:40.104125977 CET	50175	445	192.168.2.5	33.180.119.81
Jan 15, 2025 17:47:40.104197979 CET	445	50176	33.180.119.1	192.168.2.5
Jan 15, 2025 17:47:40.104260921 CET	50176	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.104275942 CET	50176	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.104466915 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.109318972 CET	445	50176	33.180.119.1	192.168.2.5
Jan 15, 2025 17:47:40.109329939 CET	445	50177	33.180.119.1	192.168.2.5
Jan 15, 2025 17:47:40.109379053 CET	50176	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.109395027 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.109435081 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:47:40.114193916 CET	445	50177	33.180.119.1	192.168.2.5
Jan 15, 2025 17:47:40.312028885 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:40.316802025 CET	445	50182	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:40.316857100 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:40.316948891 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:47:40.321715117 CET	445	50182	25.38.30.1	192.168.2.5
Jan 15, 2025 17:47:40.645669937 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.645772934 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.647269964 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.647279024 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.647515059 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.649009943 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.649056911 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.649065018 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.649154902 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.691332102 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.819219112 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.819437027 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:40.819499016 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.819641113 CET	50174	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:40.819660902 CET	443	50174	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:41.343045950 CET	445	49842	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:41.343126059 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:41.343223095 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:41.343290091 CET	49842	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:41.348016977 CET	445	49842	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:41.348026991 CET	445	49842	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:42.109198093 CET	50192	445	192.168.2.5	78.130.181.101
Jan 15, 2025 17:47:42.114016056 CET	445	50192	78.130.181.101	192.168.2.5
Jan 15, 2025 17:47:42.114106894 CET	50192	445	192.168.2.5	78.130.181.101
Jan 15, 2025 17:47:42.114141941 CET	50192	445	192.168.2.5	78.130.181.101
Jan 15, 2025 17:47:42.114419937 CET	50193	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.119052887 CET	445	50192	78.130.181.101	192.168.2.5
Jan 15, 2025 17:47:42.119112015 CET	50192	445	192.168.2.5	78.130.181.101
Jan 15, 2025 17:47:42.119194031 CET	445	50193	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:42.119267941 CET	50193	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.119267941 CET	50193	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.119448900 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.124299049 CET	445	50193	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:42.124313116 CET	445	50194	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:42.124380112 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.124416113 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.124449968 CET	50193	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:42.129198074 CET	445	50194	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:42.358920097 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:42.363759995 CET	445	50195	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:42.363848925 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:42.363879919 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:47:42.368659019 CET	445	50195	218.112.212.1	192.168.2.5
Jan 15, 2025 17:47:43.365151882 CET	445	49877	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:43.365222931 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:43.365313053 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:43.365390062 CET	49877	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:43.370022058 CET	445	49877	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:43.370125055 CET	445	49877	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:43.836009026 CET	445	50194	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:43.836075068 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:43.836119890 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:43.836180925 CET	50194	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:43.840925932 CET	445	50194	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:43.840949059 CET	445	50194	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:44.125106096 CET	50210	445	192.168.2.5	63.217.137.251
Jan 15, 2025 17:47:44.130004883 CET	445	50210	63.217.137.251	192.168.2.5
Jan 15, 2025 17:47:44.134160042 CET	50210	445	192.168.2.5	63.217.137.251
Jan 15, 2025 17:47:44.134320974 CET	50210	445	192.168.2.5	63.217.137.251
Jan 15, 2025 17:47:44.134571075 CET	50211	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.139328957 CET	445	50211	63.217.137.1	192.168.2.5
Jan 15, 2025 17:47:44.139439106 CET	445	50210	63.217.137.251	192.168.2.5
Jan 15, 2025 17:47:44.139529943 CET	50210	445	192.168.2.5	63.217.137.251
Jan 15, 2025 17:47:44.139552116 CET	50211	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.139637947 CET	50211	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.140193939 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.144491911 CET	445	50211	63.217.137.1	192.168.2.5
Jan 15, 2025 17:47:44.144998074 CET	445	50212	63.217.137.1	192.168.2.5
Jan 15, 2025 17:47:44.145080090 CET	50211	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.145101070 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.145148993 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:47:44.149874926 CET	445	50212	63.217.137.1	192.168.2.5
Jan 15, 2025 17:47:44.358988047 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:44.363780022 CET	445	50214	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:44.363888025 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:44.364084959 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:47:44.368911028 CET	445	50214	77.53.16.1	192.168.2.5
Jan 15, 2025 17:47:44.525548935 CET	443	49931	23.1.237.91	192.168.2.5
Jan 15, 2025 17:47:44.528615952 CET	49931	443	192.168.2.5	23.1.237.91
Jan 15, 2025 17:47:45.343328953 CET	445	49919	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:45.346214056 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:45.349044085 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:45.349098921 CET	49919	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:45.353889942 CET	445	49919	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:45.353920937 CET	445	49919	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:46.140827894 CET	50225	445	192.168.2.5	144.29.150.72
Jan 15, 2025 17:47:46.145765066 CET	445	50225	144.29.150.72	192.168.2.5
Jan 15, 2025 17:47:46.145869970 CET	50225	445	192.168.2.5	144.29.150.72
Jan 15, 2025 17:47:46.145908117 CET	50225	445	192.168.2.5	144.29.150.72
Jan 15, 2025 17:47:46.146109104 CET	50226	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.150991917 CET	445	50225	144.29.150.72	192.168.2.5
Jan 15, 2025 17:47:46.151027918 CET	445	50226	144.29.150.1	192.168.2.5
Jan 15, 2025 17:47:46.151086092 CET	50225	445	192.168.2.5	144.29.150.72
Jan 15, 2025 17:47:46.151127100 CET	50226	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.151215076 CET	50226	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.151482105 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.156107903 CET	445	50226	144.29.150.1	192.168.2.5
Jan 15, 2025 17:47:46.156166077 CET	50226	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.156322002 CET	445	50227	144.29.150.1	192.168.2.5
Jan 15, 2025 17:47:46.156385899 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.156425953 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:47:46.161223888 CET	445	50227	144.29.150.1	192.168.2.5
Jan 15, 2025 17:47:46.374672890 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:46.379667044 CET	445	50228	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:46.379770041 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:46.379813910 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:47:46.384627104 CET	445	50228	13.229.164.1	192.168.2.5
Jan 15, 2025 17:47:46.843199968 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:46.848073959 CET	445	50234	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:46.848160028 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:46.848414898 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:46.853244066 CET	445	50234	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:47.362766027 CET	445	49952	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:47.362835884 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:47.362876892 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:47.362895966 CET	49952	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:47.367821932 CET	445	49952	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:47.367842913 CET	445	49952	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:48.017333984 CET	50240	445	192.168.2.5	31.52.246.6
Jan 15, 2025 17:47:48.022252083 CET	445	50240	31.52.246.6	192.168.2.5
Jan 15, 2025 17:47:48.022356987 CET	50240	445	192.168.2.5	31.52.246.6
Jan 15, 2025 17:47:48.022430897 CET	50240	445	192.168.2.5	31.52.246.6
Jan 15, 2025 17:47:48.022566080 CET	50241	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.027352095 CET	445	50241	31.52.246.1	192.168.2.5
Jan 15, 2025 17:47:48.027400017 CET	445	50240	31.52.246.6	192.168.2.5
Jan 15, 2025 17:47:48.027441025 CET	50241	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.027472019 CET	50240	445	192.168.2.5	31.52.246.6
Jan 15, 2025 17:47:48.027478933 CET	50241	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.028065920 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.032368898 CET	445	50241	31.52.246.1	192.168.2.5
Jan 15, 2025 17:47:48.032448053 CET	50241	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.032872915 CET	445	50242	31.52.246.1	192.168.2.5
Jan 15, 2025 17:47:48.033411026 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.037281036 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:47:48.042151928 CET	445	50242	31.52.246.1	192.168.2.5
Jan 15, 2025 17:47:48.359016895 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:48.364089012 CET	445	50243	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:48.364181995 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:48.364207983 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:47:48.368990898 CET	445	50243	101.5.197.1	192.168.2.5
Jan 15, 2025 17:47:48.570184946 CET	445	50234	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:48.570267916 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:48.570306063 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:48.570343971 CET	50234	445	192.168.2.5	78.130.181.1
Jan 15, 2025 17:47:48.575054884 CET	445	50234	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:48.575098991 CET	445	50234	78.130.181.1	192.168.2.5
Jan 15, 2025 17:47:48.624948025 CET	50244	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.629900932 CET	445	50244	78.130.181.2	192.168.2.5
Jan 15, 2025 17:47:48.632751942 CET	50244	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.632930994 CET	50244	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.633269072 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.637733936 CET	445	50244	78.130.181.2	192.168.2.5
Jan 15, 2025 17:47:48.638112068 CET	445	50245	78.130.181.2	192.168.2.5
Jan 15, 2025 17:47:48.638180017 CET	50244	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.638221025 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.638247967 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:47:48.643157005 CET	445	50245	78.130.181.2	192.168.2.5
Jan 15, 2025 17:47:49.425570011 CET	445	49990	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:49.425707102 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:49.425786972 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:49.425786972 CET	49990	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:49.430593014 CET	445	49990	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:49.430605888 CET	445	49990	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:49.765398979 CET	50251	445	192.168.2.5	216.60.73.223
Jan 15, 2025 17:47:49.770340919 CET	445	50251	216.60.73.223	192.168.2.5
Jan 15, 2025 17:47:49.770440102 CET	50251	445	192.168.2.5	216.60.73.223
Jan 15, 2025 17:47:49.770551920 CET	50251	445	192.168.2.5	216.60.73.223
Jan 15, 2025 17:47:49.770771980 CET	50252	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.775420904 CET	445	50251	216.60.73.223	192.168.2.5
Jan 15, 2025 17:47:49.775482893 CET	50251	445	192.168.2.5	216.60.73.223
Jan 15, 2025 17:47:49.775641918 CET	445	50252	216.60.73.1	192.168.2.5
Jan 15, 2025 17:47:49.775707006 CET	50252	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.775749922 CET	50252	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.776047945 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.780774117 CET	445	50252	216.60.73.1	192.168.2.5
Jan 15, 2025 17:47:49.780839920 CET	50252	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.780843973 CET	445	50253	216.60.73.1	192.168.2.5
Jan 15, 2025 17:47:49.780904055 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.780944109 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:47:49.785798073 CET	445	50253	216.60.73.1	192.168.2.5
Jan 15, 2025 17:47:50.375977039 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:50.380733967 CET	445	50258	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:50.380804062 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:50.380821943 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:47:50.385658026 CET	445	50258	41.240.115.1	192.168.2.5
Jan 15, 2025 17:47:51.391984940 CET	445	50030	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:51.392071962 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:51.392112017 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:51.392199039 CET	50030	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:51.397521973 CET	445	50030	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:51.397538900 CET	445	50030	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:51.406482935 CET	50265	445	192.168.2.5	129.17.117.58
Jan 15, 2025 17:47:51.411288977 CET	445	50265	129.17.117.58	192.168.2.5
Jan 15, 2025 17:47:51.411659002 CET	50266	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.411725998 CET	50265	445	192.168.2.5	129.17.117.58
Jan 15, 2025 17:47:51.411725998 CET	50265	445	192.168.2.5	129.17.117.58
Jan 15, 2025 17:47:51.416647911 CET	445	50266	129.17.117.1	192.168.2.5
Jan 15, 2025 17:47:51.416728973 CET	50266	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.416852951 CET	50266	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.417251110 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.422138929 CET	445	50267	129.17.117.1	192.168.2.5
Jan 15, 2025 17:47:51.422219992 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.422245026 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.423527956 CET	445	50265	129.17.117.58	192.168.2.5
Jan 15, 2025 17:47:51.423557043 CET	445	50266	129.17.117.1	192.168.2.5
Jan 15, 2025 17:47:51.423762083 CET	445	50265	129.17.117.58	192.168.2.5
Jan 15, 2025 17:47:51.423849106 CET	50265	445	192.168.2.5	129.17.117.58
Jan 15, 2025 17:47:51.423929930 CET	445	50266	129.17.117.1	192.168.2.5
Jan 15, 2025 17:47:51.423994064 CET	50266	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:47:51.427172899 CET	445	50267	129.17.117.1	192.168.2.5
Jan 15, 2025 17:47:52.436990976 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:52.441806078 CET	445	50274	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:52.441899061 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:52.442025900 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:47:52.446773052 CET	445	50274	208.140.179.1	192.168.2.5
Jan 15, 2025 17:47:52.937705994 CET	50279	445	192.168.2.5	126.75.17.59
Jan 15, 2025 17:47:52.942579985 CET	445	50279	126.75.17.59	192.168.2.5
Jan 15, 2025 17:47:52.944232941 CET	50279	445	192.168.2.5	126.75.17.59
Jan 15, 2025 17:47:52.944276094 CET	50279	445	192.168.2.5	126.75.17.59
Jan 15, 2025 17:47:52.944418907 CET	50280	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.949270964 CET	445	50279	126.75.17.59	192.168.2.5
Jan 15, 2025 17:47:52.949282885 CET	445	50280	126.75.17.1	192.168.2.5
Jan 15, 2025 17:47:52.949346066 CET	50279	445	192.168.2.5	126.75.17.59
Jan 15, 2025 17:47:52.949385881 CET	50280	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.949512959 CET	50280	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.949803114 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.954525948 CET	445	50280	126.75.17.1	192.168.2.5
Jan 15, 2025 17:47:52.954611063 CET	50280	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.954670906 CET	445	50281	126.75.17.1	192.168.2.5
Jan 15, 2025 17:47:52.954745054 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.954798937 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:47:52.959537983 CET	445	50281	126.75.17.1	192.168.2.5
Jan 15, 2025 17:47:53.315659046 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:53.315701008 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:53.315798998 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:53.316549063 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:53.316572905 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:53.420239925 CET	445	50066	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:53.420707941 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:53.421055079 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:53.421096087 CET	50066	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:53.425786972 CET	445	50066	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:53.425800085 CET	445	50066	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:54.112627983 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.112701893 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.114725113 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.114738941 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.114984035 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.116408110 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.116408110 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.116434097 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.116533995 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.163333893 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.291233063 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.291399002 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.291495085 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.291640997 CET	50283	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:47:54.291661978 CET	443	50283	40.115.3.253	192.168.2.5
Jan 15, 2025 17:47:54.359678984 CET	50292	445	192.168.2.5	35.81.47.184
Jan 15, 2025 17:47:54.364432096 CET	445	50292	35.81.47.184	192.168.2.5
Jan 15, 2025 17:47:54.364496946 CET	50292	445	192.168.2.5	35.81.47.184
Jan 15, 2025 17:47:54.364530087 CET	50292	445	192.168.2.5	35.81.47.184
Jan 15, 2025 17:47:54.364700079 CET	50293	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.369414091 CET	445	50292	35.81.47.184	192.168.2.5
Jan 15, 2025 17:47:54.369471073 CET	50292	445	192.168.2.5	35.81.47.184
Jan 15, 2025 17:47:54.369502068 CET	445	50293	35.81.47.1	192.168.2.5
Jan 15, 2025 17:47:54.369559050 CET	50293	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.369580030 CET	50293	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.369862080 CET	50295	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.374475002 CET	445	50293	35.81.47.1	192.168.2.5
Jan 15, 2025 17:47:54.374526024 CET	50293	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.374630928 CET	445	50295	35.81.47.1	192.168.2.5
Jan 15, 2025 17:47:54.374702930 CET	50295	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.374763012 CET	50295	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:47:54.379509926 CET	445	50295	35.81.47.1	192.168.2.5
Jan 15, 2025 17:47:54.406394005 CET	50296	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:54.411375046 CET	445	50296	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:54.411523104 CET	50296	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:54.411523104 CET	50296	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:47:54.416451931 CET	445	50296	154.83.26.1	192.168.2.5
Jan 15, 2025 17:47:55.442857981 CET	445	50102	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:55.442934036 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:55.443125010 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:55.443166018 CET	50102	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:55.447994947 CET	445	50102	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:55.448026896 CET	445	50102	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:55.687211037 CET	50303	445	192.168.2.5	88.125.174.20
Jan 15, 2025 17:47:55.692102909 CET	445	50303	88.125.174.20	192.168.2.5
Jan 15, 2025 17:47:55.692195892 CET	50303	445	192.168.2.5	88.125.174.20
Jan 15, 2025 17:47:55.692209005 CET	50303	445	192.168.2.5	88.125.174.20
Jan 15, 2025 17:47:55.692342997 CET	50304	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.697132111 CET	445	50304	88.125.174.1	192.168.2.5
Jan 15, 2025 17:47:55.697187901 CET	50304	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.697218895 CET	445	50303	88.125.174.20	192.168.2.5
Jan 15, 2025 17:47:55.697262049 CET	50303	445	192.168.2.5	88.125.174.20
Jan 15, 2025 17:47:55.697365999 CET	50304	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.697691917 CET	50305	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.702199936 CET	445	50304	88.125.174.1	192.168.2.5
Jan 15, 2025 17:47:55.702260017 CET	50304	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.702543020 CET	445	50305	88.125.174.1	192.168.2.5
Jan 15, 2025 17:47:55.702613115 CET	50305	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.702651024 CET	50305	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:47:55.707449913 CET	445	50305	88.125.174.1	192.168.2.5
Jan 15, 2025 17:47:56.563946009 CET	50311	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:56.569708109 CET	445	50311	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:56.569768906 CET	50311	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:56.569797993 CET	50311	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:47:56.574551105 CET	445	50311	2.6.237.1	192.168.2.5
Jan 15, 2025 17:47:56.921608925 CET	50316	445	192.168.2.5	88.23.242.224
Jan 15, 2025 17:47:56.926383018 CET	445	50316	88.23.242.224	192.168.2.5
Jan 15, 2025 17:47:56.926474094 CET	50316	445	192.168.2.5	88.23.242.224
Jan 15, 2025 17:47:56.926501989 CET	50316	445	192.168.2.5	88.23.242.224
Jan 15, 2025 17:47:56.926594019 CET	50317	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.931346893 CET	445	50317	88.23.242.1	192.168.2.5
Jan 15, 2025 17:47:56.931404114 CET	50317	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.931435108 CET	50317	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.931452990 CET	445	50316	88.23.242.224	192.168.2.5
Jan 15, 2025 17:47:56.931502104 CET	50316	445	192.168.2.5	88.23.242.224
Jan 15, 2025 17:47:56.931679964 CET	50318	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.936346054 CET	445	50317	88.23.242.1	192.168.2.5
Jan 15, 2025 17:47:56.936417103 CET	50317	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.936443090 CET	445	50318	88.23.242.1	192.168.2.5
Jan 15, 2025 17:47:56.936506987 CET	50318	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.936520100 CET	50318	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:47:56.941750050 CET	445	50318	88.23.242.1	192.168.2.5
Jan 15, 2025 17:47:57.455033064 CET	445	50138	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:57.455148935 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:57.455188036 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:57.455244064 CET	50138	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:47:57.460062981 CET	445	50138	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:57.460084915 CET	445	50138	40.64.79.1	192.168.2.5
Jan 15, 2025 17:47:57.662436962 CET	445	50141	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:57.662600994 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:57.662662029 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:57.662708998 CET	50141	445	192.168.2.5	65.166.2.1
Jan 15, 2025 17:47:57.667416096 CET	445	50141	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:57.667493105 CET	445	50141	65.166.2.1	192.168.2.5
Jan 15, 2025 17:47:57.718497992 CET	50324	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.724176884 CET	445	50324	65.166.2.2	192.168.2.5
Jan 15, 2025 17:47:57.724265099 CET	50324	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.724303961 CET	50324	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.724736929 CET	50325	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.730515003 CET	445	50325	65.166.2.2	192.168.2.5
Jan 15, 2025 17:47:57.730597973 CET	50325	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.730635881 CET	50325	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.731115103 CET	445	50324	65.166.2.2	192.168.2.5
Jan 15, 2025 17:47:57.731173992 CET	50324	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:47:57.736824989 CET	445	50325	65.166.2.2	192.168.2.5
Jan 15, 2025 17:47:58.077896118 CET	50327	445	192.168.2.5	116.101.184.130
Jan 15, 2025 17:47:58.082819939 CET	445	50327	116.101.184.130	192.168.2.5
Jan 15, 2025 17:47:58.082933903 CET	50327	445	192.168.2.5	116.101.184.130
Jan 15, 2025 17:47:58.082933903 CET	50327	445	192.168.2.5	116.101.184.130
Jan 15, 2025 17:47:58.083045959 CET	50328	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.087840080 CET	445	50328	116.101.184.1	192.168.2.5
Jan 15, 2025 17:47:58.088006973 CET	50328	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.088006973 CET	50328	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.088164091 CET	445	50327	116.101.184.130	192.168.2.5
Jan 15, 2025 17:47:58.088301897 CET	50329	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.088323116 CET	50327	445	192.168.2.5	116.101.184.130
Jan 15, 2025 17:47:58.092995882 CET	445	50328	116.101.184.1	192.168.2.5
Jan 15, 2025 17:47:58.093058109 CET	50328	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.093080997 CET	445	50329	116.101.184.1	192.168.2.5
Jan 15, 2025 17:47:58.093153954 CET	50329	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.093178988 CET	50329	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:47:58.098021984 CET	445	50329	116.101.184.1	192.168.2.5
Jan 15, 2025 17:47:58.452603102 CET	50334	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:58.457458973 CET	445	50334	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:58.457531929 CET	50334	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:58.457583904 CET	50334	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:47:58.462383986 CET	445	50334	126.122.68.1	192.168.2.5
Jan 15, 2025 17:47:59.156188011 CET	50338	445	192.168.2.5	193.204.71.168
Jan 15, 2025 17:47:59.161042929 CET	445	50338	193.204.71.168	192.168.2.5
Jan 15, 2025 17:47:59.161139965 CET	50338	445	192.168.2.5	193.204.71.168
Jan 15, 2025 17:47:59.161184072 CET	50338	445	192.168.2.5	193.204.71.168
Jan 15, 2025 17:47:59.161305904 CET	50339	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.166129112 CET	445	50339	193.204.71.1	192.168.2.5
Jan 15, 2025 17:47:59.166157007 CET	445	50338	193.204.71.168	192.168.2.5
Jan 15, 2025 17:47:59.166212082 CET	50339	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.166212082 CET	50339	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.166241884 CET	50338	445	192.168.2.5	193.204.71.168
Jan 15, 2025 17:47:59.166527033 CET	50342	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.171180964 CET	445	50339	193.204.71.1	192.168.2.5
Jan 15, 2025 17:47:59.171233892 CET	50339	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.171360016 CET	445	50342	193.204.71.1	192.168.2.5
Jan 15, 2025 17:47:59.171433926 CET	50342	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.171478033 CET	50342	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:47:59.176212072 CET	445	50342	193.204.71.1	192.168.2.5
Jan 15, 2025 17:47:59.454546928 CET	445	50161	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:59.454607964 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:59.454653025 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:59.454698086 CET	50161	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:47:59.459469080 CET	445	50161	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:59.459482908 CET	445	50161	55.191.105.1	192.168.2.5
Jan 15, 2025 17:47:59.703497887 CET	445	50163	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:59.704997063 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:59.705099106 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:59.705099106 CET	50163	445	192.168.2.5	194.183.238.1
Jan 15, 2025 17:47:59.709904909 CET	445	50163	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:59.709918976 CET	445	50163	194.183.238.1	192.168.2.5
Jan 15, 2025 17:47:59.765459061 CET	50345	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.770523071 CET	445	50345	194.183.238.2	192.168.2.5
Jan 15, 2025 17:47:59.770901918 CET	50345	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.770942926 CET	50345	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.771303892 CET	50346	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.775949001 CET	445	50345	194.183.238.2	192.168.2.5
Jan 15, 2025 17:47:59.776015997 CET	50345	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.776115894 CET	445	50346	194.183.238.2	192.168.2.5
Jan 15, 2025 17:47:59.776185036 CET	50346	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.776220083 CET	50346	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:47:59.780996084 CET	445	50346	194.183.238.2	192.168.2.5
Jan 15, 2025 17:48:00.171715021 CET	50350	445	192.168.2.5	116.74.169.95
Jan 15, 2025 17:48:00.176625967 CET	445	50350	116.74.169.95	192.168.2.5
Jan 15, 2025 17:48:00.176822901 CET	50350	445	192.168.2.5	116.74.169.95
Jan 15, 2025 17:48:00.176822901 CET	50350	445	192.168.2.5	116.74.169.95
Jan 15, 2025 17:48:00.176865101 CET	50351	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.181698084 CET	445	50351	116.74.169.1	192.168.2.5
Jan 15, 2025 17:48:00.181785107 CET	50351	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.181786060 CET	50351	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.181833029 CET	445	50350	116.74.169.95	192.168.2.5
Jan 15, 2025 17:48:00.182044983 CET	50350	445	192.168.2.5	116.74.169.95
Jan 15, 2025 17:48:00.182096958 CET	50352	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.186719894 CET	445	50351	116.74.169.1	192.168.2.5
Jan 15, 2025 17:48:00.186796904 CET	50351	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.186937094 CET	445	50352	116.74.169.1	192.168.2.5
Jan 15, 2025 17:48:00.187021017 CET	50352	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.187021017 CET	50352	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:00.191848993 CET	445	50352	116.74.169.1	192.168.2.5
Jan 15, 2025 17:48:00.468319893 CET	50354	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:48:00.523458958 CET	445	50354	40.64.79.1	192.168.2.5
Jan 15, 2025 17:48:00.524501085 CET	50354	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:48:00.524557114 CET	50354	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:48:00.529336929 CET	445	50354	40.64.79.1	192.168.2.5
Jan 15, 2025 17:48:01.109252930 CET	50361	445	192.168.2.5	170.97.32.147
Jan 15, 2025 17:48:01.114039898 CET	445	50361	170.97.32.147	192.168.2.5
Jan 15, 2025 17:48:01.114124060 CET	50361	445	192.168.2.5	170.97.32.147
Jan 15, 2025 17:48:01.114195108 CET	50361	445	192.168.2.5	170.97.32.147
Jan 15, 2025 17:48:01.114356995 CET	50362	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.119081020 CET	445	50361	170.97.32.147	192.168.2.5
Jan 15, 2025 17:48:01.119148970 CET	445	50362	170.97.32.1	192.168.2.5
Jan 15, 2025 17:48:01.119151115 CET	50361	445	192.168.2.5	170.97.32.147
Jan 15, 2025 17:48:01.119213104 CET	50362	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.119306087 CET	50362	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.119613886 CET	50363	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.124131918 CET	445	50362	170.97.32.1	192.168.2.5
Jan 15, 2025 17:48:01.124203920 CET	50362	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.124466896 CET	445	50363	170.97.32.1	192.168.2.5
Jan 15, 2025 17:48:01.124562979 CET	50363	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.124563932 CET	50363	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:01.129317999 CET	445	50363	170.97.32.1	192.168.2.5
Jan 15, 2025 17:48:01.469249010 CET	445	50177	33.180.119.1	192.168.2.5
Jan 15, 2025 17:48:01.469326019 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:01.469388008 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:01.469434023 CET	50177	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:01.474580050 CET	445	50177	33.180.119.1	192.168.2.5
Jan 15, 2025 17:48:01.474595070 CET	445	50177	33.180.119.1	192.168.2.5
Jan 15, 2025 17:48:01.704745054 CET	445	50182	25.38.30.1	192.168.2.5
Jan 15, 2025 17:48:01.704839945 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:48:01.705066919 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:48:01.705142021 CET	50182	445	192.168.2.5	25.38.30.1
Jan 15, 2025 17:48:01.709849119 CET	445	50182	25.38.30.1	192.168.2.5
Jan 15, 2025 17:48:01.709873915 CET	445	50182	25.38.30.1	192.168.2.5
Jan 15, 2025 17:48:01.765399933 CET	50364	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.770193100 CET	445	50364	25.38.30.2	192.168.2.5
Jan 15, 2025 17:48:01.770425081 CET	50364	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.770461082 CET	50364	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.770776987 CET	50365	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.775396109 CET	445	50364	25.38.30.2	192.168.2.5
Jan 15, 2025 17:48:01.775490046 CET	50364	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.775592089 CET	445	50365	25.38.30.2	192.168.2.5
Jan 15, 2025 17:48:01.775690079 CET	50365	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.775719881 CET	50365	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:01.780451059 CET	445	50365	25.38.30.2	192.168.2.5
Jan 15, 2025 17:48:01.984972000 CET	50366	445	192.168.2.5	94.215.143.221
Jan 15, 2025 17:48:01.989859104 CET	445	50366	94.215.143.221	192.168.2.5
Jan 15, 2025 17:48:01.989943027 CET	50366	445	192.168.2.5	94.215.143.221
Jan 15, 2025 17:48:01.990017891 CET	50366	445	192.168.2.5	94.215.143.221
Jan 15, 2025 17:48:01.990200996 CET	50367	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:01.994921923 CET	445	50366	94.215.143.221	192.168.2.5
Jan 15, 2025 17:48:01.995141983 CET	445	50367	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:01.995213985 CET	50366	445	192.168.2.5	94.215.143.221
Jan 15, 2025 17:48:01.995280027 CET	50367	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:01.997550011 CET	50367	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:01.997936010 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:02.002814054 CET	445	50367	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:02.002844095 CET	445	50368	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:02.002890110 CET	50367	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:02.002926111 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:02.002952099 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:02.007772923 CET	445	50368	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:02.468420982 CET	50369	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:48:02.473344088 CET	445	50369	55.191.105.1	192.168.2.5
Jan 15, 2025 17:48:02.473462105 CET	50369	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:48:02.473539114 CET	50369	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:48:02.480073929 CET	445	50369	55.191.105.1	192.168.2.5
Jan 15, 2025 17:48:02.812591076 CET	50370	445	192.168.2.5	76.82.8.189
Jan 15, 2025 17:48:02.817404985 CET	445	50370	76.82.8.189	192.168.2.5
Jan 15, 2025 17:48:02.818089962 CET	50370	445	192.168.2.5	76.82.8.189
Jan 15, 2025 17:48:02.818170071 CET	50370	445	192.168.2.5	76.82.8.189
Jan 15, 2025 17:48:02.818337917 CET	50371	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.823079109 CET	445	50370	76.82.8.189	192.168.2.5
Jan 15, 2025 17:48:02.823139906 CET	445	50371	76.82.8.1	192.168.2.5
Jan 15, 2025 17:48:02.823220015 CET	50370	445	192.168.2.5	76.82.8.189
Jan 15, 2025 17:48:02.823246002 CET	50371	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.823331118 CET	50371	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.823628902 CET	50372	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.828381062 CET	445	50372	76.82.8.1	192.168.2.5
Jan 15, 2025 17:48:02.828461885 CET	50372	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.828475952 CET	445	50371	76.82.8.1	192.168.2.5
Jan 15, 2025 17:48:02.828496933 CET	50372	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.828528881 CET	50371	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:02.833271027 CET	445	50372	76.82.8.1	192.168.2.5
Jan 15, 2025 17:48:03.271970034 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:03.272042036 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:03.272114992 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:03.272658110 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:03.272686958 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:03.577914953 CET	50374	445	192.168.2.5	2.139.197.109
Jan 15, 2025 17:48:03.582874060 CET	445	50374	2.139.197.109	192.168.2.5
Jan 15, 2025 17:48:03.582952976 CET	50374	445	192.168.2.5	2.139.197.109
Jan 15, 2025 17:48:03.582983017 CET	50374	445	192.168.2.5	2.139.197.109
Jan 15, 2025 17:48:03.583199024 CET	50375	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.587925911 CET	445	50374	2.139.197.109	192.168.2.5
Jan 15, 2025 17:48:03.587986946 CET	50374	445	192.168.2.5	2.139.197.109
Jan 15, 2025 17:48:03.588032007 CET	445	50375	2.139.197.1	192.168.2.5
Jan 15, 2025 17:48:03.588105917 CET	50375	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.588265896 CET	50375	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.588488102 CET	50376	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.593074083 CET	445	50375	2.139.197.1	192.168.2.5
Jan 15, 2025 17:48:03.593127966 CET	50375	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.593257904 CET	445	50376	2.139.197.1	192.168.2.5
Jan 15, 2025 17:48:03.593314886 CET	50376	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.593425989 CET	50376	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:03.598176003 CET	445	50376	2.139.197.1	192.168.2.5
Jan 15, 2025 17:48:03.682998896 CET	445	50368	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:03.683073997 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:03.683120012 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:03.683131933 CET	50368	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:03.687973976 CET	445	50368	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:03.687995911 CET	445	50368	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:03.738147020 CET	445	50195	218.112.212.1	192.168.2.5
Jan 15, 2025 17:48:03.738234043 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:48:03.738276005 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:48:03.738389969 CET	50195	445	192.168.2.5	218.112.212.1
Jan 15, 2025 17:48:03.743128061 CET	445	50195	218.112.212.1	192.168.2.5
Jan 15, 2025 17:48:03.743169069 CET	445	50195	218.112.212.1	192.168.2.5
Jan 15, 2025 17:48:03.796492100 CET	50377	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.801381111 CET	445	50377	218.112.212.2	192.168.2.5
Jan 15, 2025 17:48:03.801460981 CET	50377	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.801538944 CET	50377	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.801872969 CET	50378	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.806513071 CET	445	50377	218.112.212.2	192.168.2.5
Jan 15, 2025 17:48:03.806612968 CET	50377	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.806664944 CET	445	50378	218.112.212.2	192.168.2.5
Jan 15, 2025 17:48:03.806910038 CET	50378	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.806947947 CET	50378	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:03.811672926 CET	445	50378	218.112.212.2	192.168.2.5
Jan 15, 2025 17:48:04.253289938 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.253412962 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.255666971 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.255697012 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.259295940 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.261310101 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.261401892 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.261415005 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.261554956 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.307333946 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.431616068 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.431727886 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.431926966 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.432018042 CET	50373	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:04.432063103 CET	443	50373	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:04.484061956 CET	50380	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:04.489181042 CET	445	50380	33.180.119.1	192.168.2.5
Jan 15, 2025 17:48:04.489291906 CET	50380	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:04.489335060 CET	50380	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:04.495589018 CET	445	50380	33.180.119.1	192.168.2.5
Jan 15, 2025 17:48:05.519788027 CET	445	50212	63.217.137.1	192.168.2.5
Jan 15, 2025 17:48:05.519869089 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:05.519895077 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:05.519926071 CET	50212	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:05.524645090 CET	445	50212	63.217.137.1	192.168.2.5
Jan 15, 2025 17:48:05.524707079 CET	445	50212	63.217.137.1	192.168.2.5
Jan 15, 2025 17:48:05.718749046 CET	445	50214	77.53.16.1	192.168.2.5
Jan 15, 2025 17:48:05.718920946 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:48:05.719095945 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:48:05.719095945 CET	50214	445	192.168.2.5	77.53.16.1
Jan 15, 2025 17:48:05.723979950 CET	445	50214	77.53.16.1	192.168.2.5
Jan 15, 2025 17:48:05.724003077 CET	445	50214	77.53.16.1	192.168.2.5
Jan 15, 2025 17:48:05.780869961 CET	50384	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.785921097 CET	445	50384	77.53.16.2	192.168.2.5
Jan 15, 2025 17:48:05.786098003 CET	50384	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.786185980 CET	50384	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.786675930 CET	50385	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.791109085 CET	445	50384	77.53.16.2	192.168.2.5
Jan 15, 2025 17:48:05.791230917 CET	50384	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.791474104 CET	445	50385	77.53.16.2	192.168.2.5
Jan 15, 2025 17:48:05.791554928 CET	50385	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.791599989 CET	50385	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:05.796416998 CET	445	50385	77.53.16.2	192.168.2.5
Jan 15, 2025 17:48:06.687073946 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:06.692586899 CET	445	50389	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:06.692743063 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:06.692785025 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:06.697635889 CET	445	50389	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:07.532294035 CET	445	50227	144.29.150.1	192.168.2.5
Jan 15, 2025 17:48:07.532454967 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:07.532565117 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:07.532566071 CET	50227	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:07.537427902 CET	445	50227	144.29.150.1	192.168.2.5
Jan 15, 2025 17:48:07.537445068 CET	445	50227	144.29.150.1	192.168.2.5
Jan 15, 2025 17:48:07.753963947 CET	445	50228	13.229.164.1	192.168.2.5
Jan 15, 2025 17:48:07.754081011 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:48:07.754153967 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:48:07.754221916 CET	50228	445	192.168.2.5	13.229.164.1
Jan 15, 2025 17:48:07.759146929 CET	445	50228	13.229.164.1	192.168.2.5
Jan 15, 2025 17:48:07.759160042 CET	445	50228	13.229.164.1	192.168.2.5
Jan 15, 2025 17:48:07.816736937 CET	50397	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.821760893 CET	445	50397	13.229.164.2	192.168.2.5
Jan 15, 2025 17:48:07.821912050 CET	50397	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.821928024 CET	50397	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.822304010 CET	50398	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.826951981 CET	445	50397	13.229.164.2	192.168.2.5
Jan 15, 2025 17:48:07.827023983 CET	50397	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.827260017 CET	445	50398	13.229.164.2	192.168.2.5
Jan 15, 2025 17:48:07.827352047 CET	50398	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.830127001 CET	50398	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:07.832295895 CET	445	50398	13.229.164.2	192.168.2.5
Jan 15, 2025 17:48:07.835026026 CET	445	50398	13.229.164.2	192.168.2.5
Jan 15, 2025 17:48:08.323472023 CET	445	50389	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:08.323606968 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:08.323642015 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:08.323648930 CET	50389	445	192.168.2.5	94.215.143.1
Jan 15, 2025 17:48:08.328552008 CET	445	50389	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:08.328566074 CET	445	50389	94.215.143.1	192.168.2.5
Jan 15, 2025 17:48:08.374610901 CET	50404	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.379585981 CET	445	50404	94.215.143.2	192.168.2.5
Jan 15, 2025 17:48:08.379693031 CET	50404	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.379790068 CET	50404	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.380182981 CET	50405	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.384792089 CET	445	50404	94.215.143.2	192.168.2.5
Jan 15, 2025 17:48:08.384886980 CET	50404	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.385008097 CET	445	50405	94.215.143.2	192.168.2.5
Jan 15, 2025 17:48:08.385080099 CET	50405	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.385123014 CET	50405	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:08.389939070 CET	445	50405	94.215.143.2	192.168.2.5
Jan 15, 2025 17:48:08.531152964 CET	50407	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:08.536113024 CET	445	50407	63.217.137.1	192.168.2.5
Jan 15, 2025 17:48:08.536251068 CET	50407	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:08.536315918 CET	50407	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:08.541120052 CET	445	50407	63.217.137.1	192.168.2.5
Jan 15, 2025 17:48:09.422535896 CET	445	50242	31.52.246.1	192.168.2.5
Jan 15, 2025 17:48:09.422800064 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:09.422857046 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:09.422857046 CET	50242	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:09.427728891 CET	445	50242	31.52.246.1	192.168.2.5
Jan 15, 2025 17:48:09.427740097 CET	445	50242	31.52.246.1	192.168.2.5
Jan 15, 2025 17:48:09.735037088 CET	445	50243	101.5.197.1	192.168.2.5
Jan 15, 2025 17:48:09.735265970 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:48:09.735265970 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:48:09.735265970 CET	50243	445	192.168.2.5	101.5.197.1
Jan 15, 2025 17:48:09.740737915 CET	445	50243	101.5.197.1	192.168.2.5
Jan 15, 2025 17:48:09.740747929 CET	445	50243	101.5.197.1	192.168.2.5
Jan 15, 2025 17:48:09.796523094 CET	50421	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.801575899 CET	445	50421	101.5.197.2	192.168.2.5
Jan 15, 2025 17:48:09.801649094 CET	50421	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.801678896 CET	50421	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.801944017 CET	50422	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.806772947 CET	445	50422	101.5.197.2	192.168.2.5
Jan 15, 2025 17:48:09.806783915 CET	445	50421	101.5.197.2	192.168.2.5
Jan 15, 2025 17:48:09.806853056 CET	50422	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.806853056 CET	50421	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.806920052 CET	50422	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:09.811758995 CET	445	50422	101.5.197.2	192.168.2.5
Jan 15, 2025 17:48:10.002279043 CET	445	50245	78.130.181.2	192.168.2.5
Jan 15, 2025 17:48:10.002405882 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:10.002444029 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:10.002624035 CET	50245	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:10.007196903 CET	445	50245	78.130.181.2	192.168.2.5
Jan 15, 2025 17:48:10.007396936 CET	445	50245	78.130.181.2	192.168.2.5
Jan 15, 2025 17:48:10.546401024 CET	50432	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:10.551413059 CET	445	50432	144.29.150.1	192.168.2.5
Jan 15, 2025 17:48:10.551492929 CET	50432	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:10.551517963 CET	50432	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:10.556299925 CET	445	50432	144.29.150.1	192.168.2.5
Jan 15, 2025 17:48:11.125195026 CET	445	50253	216.60.73.1	192.168.2.5
Jan 15, 2025 17:48:11.125344038 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:11.125396967 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:11.125396967 CET	50253	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:11.130294085 CET	445	50253	216.60.73.1	192.168.2.5
Jan 15, 2025 17:48:11.130352020 CET	445	50253	216.60.73.1	192.168.2.5
Jan 15, 2025 17:48:11.734688997 CET	445	50258	41.240.115.1	192.168.2.5
Jan 15, 2025 17:48:11.734972000 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:48:11.734972000 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:48:11.734972000 CET	50258	445	192.168.2.5	41.240.115.1
Jan 15, 2025 17:48:11.740160942 CET	445	50258	41.240.115.1	192.168.2.5
Jan 15, 2025 17:48:11.740191936 CET	445	50258	41.240.115.1	192.168.2.5
Jan 15, 2025 17:48:11.796320915 CET	50456	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.801465988 CET	445	50456	41.240.115.2	192.168.2.5
Jan 15, 2025 17:48:11.801624060 CET	50456	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.801798105 CET	50456	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.802243948 CET	50458	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.806731939 CET	445	50456	41.240.115.2	192.168.2.5
Jan 15, 2025 17:48:11.806793928 CET	50456	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.807065010 CET	445	50458	41.240.115.2	192.168.2.5
Jan 15, 2025 17:48:11.807123899 CET	50458	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.807162046 CET	50458	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:11.811963081 CET	445	50458	41.240.115.2	192.168.2.5
Jan 15, 2025 17:48:12.437015057 CET	50473	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:12.442262888 CET	445	50473	31.52.246.1	192.168.2.5
Jan 15, 2025 17:48:12.442361116 CET	50473	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:12.442387104 CET	50473	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:12.447205067 CET	445	50473	31.52.246.1	192.168.2.5
Jan 15, 2025 17:48:12.832026958 CET	445	50267	129.17.117.1	192.168.2.5
Jan 15, 2025 17:48:12.832109928 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:48:12.832145929 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:48:12.832217932 CET	50267	445	192.168.2.5	129.17.117.1
Jan 15, 2025 17:48:12.837069988 CET	445	50267	129.17.117.1	192.168.2.5
Jan 15, 2025 17:48:12.837105989 CET	445	50267	129.17.117.1	192.168.2.5
Jan 15, 2025 17:48:13.015163898 CET	50488	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:13.020389080 CET	445	50488	78.130.181.2	192.168.2.5
Jan 15, 2025 17:48:13.020494938 CET	50488	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:13.023334980 CET	50488	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:13.028255939 CET	445	50488	78.130.181.2	192.168.2.5
Jan 15, 2025 17:48:13.832571030 CET	445	50274	208.140.179.1	192.168.2.5
Jan 15, 2025 17:48:13.832649946 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:48:13.832679987 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:48:13.832710028 CET	50274	445	192.168.2.5	208.140.179.1
Jan 15, 2025 17:48:13.837620974 CET	445	50274	208.140.179.1	192.168.2.5
Jan 15, 2025 17:48:13.837635994 CET	445	50274	208.140.179.1	192.168.2.5
Jan 15, 2025 17:48:13.890286922 CET	50521	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.895349979 CET	445	50521	208.140.179.2	192.168.2.5
Jan 15, 2025 17:48:13.895474911 CET	50521	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.895514965 CET	50521	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.895821095 CET	50522	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.900506020 CET	445	50521	208.140.179.2	192.168.2.5
Jan 15, 2025 17:48:13.900587082 CET	50521	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.900734901 CET	445	50522	208.140.179.2	192.168.2.5
Jan 15, 2025 17:48:13.900811911 CET	50522	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.900851011 CET	50522	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:13.905657053 CET	445	50522	208.140.179.2	192.168.2.5
Jan 15, 2025 17:48:14.140188932 CET	50535	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:14.145436049 CET	445	50535	216.60.73.1	192.168.2.5
Jan 15, 2025 17:48:14.145600080 CET	50535	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:14.145644903 CET	50535	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:14.150485992 CET	445	50535	216.60.73.1	192.168.2.5
Jan 15, 2025 17:48:14.334319115 CET	445	50281	126.75.17.1	192.168.2.5
Jan 15, 2025 17:48:14.334459066 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:48:14.334518909 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:48:14.334518909 CET	50281	445	192.168.2.5	126.75.17.1
Jan 15, 2025 17:48:14.339418888 CET	445	50281	126.75.17.1	192.168.2.5
Jan 15, 2025 17:48:14.339431047 CET	445	50281	126.75.17.1	192.168.2.5
Jan 15, 2025 17:48:15.719032049 CET	445	50295	35.81.47.1	192.168.2.5
Jan 15, 2025 17:48:15.719141006 CET	50295	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:48:15.796910048 CET	445	50296	154.83.26.1	192.168.2.5
Jan 15, 2025 17:48:15.796991110 CET	50296	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:48:16.191873074 CET	50385	445	192.168.2.5	77.53.16.2
Jan 15, 2025 17:48:16.191926956 CET	50295	445	192.168.2.5	35.81.47.1
Jan 15, 2025 17:48:16.191940069 CET	50346	445	192.168.2.5	194.183.238.2
Jan 15, 2025 17:48:16.191968918 CET	50365	445	192.168.2.5	25.38.30.2
Jan 15, 2025 17:48:16.191997051 CET	50378	445	192.168.2.5	218.112.212.2
Jan 15, 2025 17:48:16.192033052 CET	50473	445	192.168.2.5	31.52.246.1
Jan 15, 2025 17:48:16.192084074 CET	50325	445	192.168.2.5	65.166.2.2
Jan 15, 2025 17:48:16.192137003 CET	50296	445	192.168.2.5	154.83.26.1
Jan 15, 2025 17:48:16.192168951 CET	50305	445	192.168.2.5	88.125.174.1
Jan 15, 2025 17:48:16.192183971 CET	50311	445	192.168.2.5	2.6.237.1
Jan 15, 2025 17:48:16.192214966 CET	50318	445	192.168.2.5	88.23.242.1
Jan 15, 2025 17:48:16.192245960 CET	50329	445	192.168.2.5	116.101.184.1
Jan 15, 2025 17:48:16.192269087 CET	50334	445	192.168.2.5	126.122.68.1
Jan 15, 2025 17:48:16.192312956 CET	50342	445	192.168.2.5	193.204.71.1
Jan 15, 2025 17:48:16.192403078 CET	50352	445	192.168.2.5	116.74.169.1
Jan 15, 2025 17:48:16.192449093 CET	50354	445	192.168.2.5	40.64.79.1
Jan 15, 2025 17:48:16.192497015 CET	50363	445	192.168.2.5	170.97.32.1
Jan 15, 2025 17:48:16.192526102 CET	50369	445	192.168.2.5	55.191.105.1
Jan 15, 2025 17:48:16.192553043 CET	50372	445	192.168.2.5	76.82.8.1
Jan 15, 2025 17:48:16.192645073 CET	50380	445	192.168.2.5	33.180.119.1
Jan 15, 2025 17:48:16.192672968 CET	50405	445	192.168.2.5	94.215.143.2
Jan 15, 2025 17:48:16.192676067 CET	50376	445	192.168.2.5	2.139.197.1
Jan 15, 2025 17:48:16.192701101 CET	50398	445	192.168.2.5	13.229.164.2
Jan 15, 2025 17:48:16.192728043 CET	50407	445	192.168.2.5	63.217.137.1
Jan 15, 2025 17:48:16.192760944 CET	50422	445	192.168.2.5	101.5.197.2
Jan 15, 2025 17:48:16.192780972 CET	50458	445	192.168.2.5	41.240.115.2
Jan 15, 2025 17:48:16.192805052 CET	50432	445	192.168.2.5	144.29.150.1
Jan 15, 2025 17:48:16.192884922 CET	50488	445	192.168.2.5	78.130.181.2
Jan 15, 2025 17:48:16.193022966 CET	50522	445	192.168.2.5	208.140.179.2
Jan 15, 2025 17:48:16.193078041 CET	50535	445	192.168.2.5	216.60.73.1
Jan 15, 2025 17:48:23.636367083 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:23.636471987 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:23.636550903 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:23.637171984 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:23.637209892 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.602288961 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.602408886 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.604413986 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.604430914 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.604646921 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.606051922 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.606113911 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.606120110 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.606211901 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.647336960 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.782958984 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.783668995 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.783735037 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.783926010 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:24.783972979 CET	443	50638	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:24.784003973 CET	50638	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:35.803148985 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:35.803225994 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:35.803348064 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:35.803863049 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:35.803884983 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.597363949 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.597512007 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.599288940 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.599301100 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.599528074 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.600969076 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.601008892 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.601013899 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.601150036 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.643326998 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.771465063 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.771562099 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:36.771621943 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.771785975 CET	50639	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:48:36.771809101 CET	443	50639	40.115.3.253	192.168.2.5
Jan 15, 2025 17:48:43.124310017 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:48:43.124376059 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:48:43.124485970 CET	49707	80	192.168.2.5	199.232.210.172
Jan 15, 2025 17:48:43.129554033 CET	443	49710	40.126.32.133	192.168.2.5
Jan 15, 2025 17:48:43.129663944 CET	49710	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:48:43.129914045 CET	443	49706	40.126.32.133	192.168.2.5
Jan 15, 2025 17:48:43.129977942 CET	49706	443	192.168.2.5	40.126.32.133
Jan 15, 2025 17:48:43.130024910 CET	80	49707	199.232.210.172	192.168.2.5
Jan 15, 2025 17:48:43.130084038 CET	49707	80	192.168.2.5	199.232.210.172
Jan 15, 2025 17:49:03.659235954 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:03.659277916 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:03.659406900 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:03.660096884 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:03.660111904 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.470436096 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.470529079 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.472454071 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.472465992 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.472671986 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.474419117 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.474493027 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.474498034 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.474605083 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.519326925 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.655123949 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.655200958 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:04.655539989 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.655698061 CET	50640	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:04.655716896 CET	443	50640	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:09.663239956 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:09.663356066 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:09.663454056 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:09.664192915 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:09.664230108 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.477025986 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.477189064 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.478678942 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.478714943 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.478956938 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.480289936 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.480348110 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.480360985 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.480478048 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.527342081 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.698990107 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.699073076 CET	443	50641	40.115.3.253	192.168.2.5
Jan 15, 2025 17:49:10.699157953 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.699367046 CET	50641	443	192.168.2.5	40.115.3.253
Jan 15, 2025 17:49:10.699408054 CET	443	50641	40.115.3.253	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:47:08.760607958 CET	65478	53	192.168.2.5	1.1.1.1
Jan 15, 2025 17:47:09.070542097 CET	53	65478	1.1.1.1	192.168.2.5
Jan 15, 2025 17:47:09.684875965 CET	63201	53	192.168.2.5	1.1.1.1
Jan 15, 2025 17:47:10.017946005 CET	53	63201	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 17:47:08.760607958 CET	192.168.2.5	1.1.1.1	0x6a21	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:09.684875965 CET	192.168.2.5	1.1.1.1	0x3af9	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 17:47:06.137216091 CET	1.1.1.1	192.168.2.5	0x70d8	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:06.137216091 CET	1.1.1.1	192.168.2.5	0x70d8	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:09.070542097 CET	1.1.1.1	192.168.2.5	0x6a21	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:47:10.017946005 CET	1.1.1.1	192.168.2.5	0x3af9	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 17:47:10.017946005 CET	1.1.1.1	192.168.2.5	0x3af9	No error (0)	77026.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	103.224.212.215	80	3292	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:09.082789898 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:47:09.680531025 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:09 GMT server: Apache set-cookie: __tad=1736959629.6434080; expires=Sat, 13-Jan-2035 16:47:09 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	199.59.243.228	80	3292	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:10.023938894 CET	169	OUT	GET /?subid1=20250116-0347-098f-a7ce-9f0e9ab6a8f5 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:47:10.521435976 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:10 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 16b7b141-0abf-4f9e-8c4f-1c3090e5ffce cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VykpxZ409fFQw1xIZg05V+iNG10Gq/Bl2hfVcqvuD11/yDInZKr8UwiNhOy/Epe+3ux+Pac6dpZ+QPzq5mX8Qg== set-cookie: parking_session=16b7b141-0abf-4f9e-8c4f-1c3090e5ffce; expires=Wed, 15 Jan 2025 17:02:10 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 79 6b 70 78 5a 34 30 39 66 46 51 77 31 78 49 5a 67 30 35 56 2b 69 4e 47 31 30 47 71 2f 42 6c 32 68 66 56 63 71 76 75 44 31 31 2f 79 44 49 6e 5a 4b 72 38 55 77 69 4e 68 4f 79 2f 45 70 65 2b 33 75 78 2b 50 61 63 36 64 70 5a 2b 51 50 7a 71 35 6d 58 38 51 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VykpxZ409fFQw1xIZg05V+iNG10Gq/Bl2hfVcqvuD11/yDInZKr8UwiNhOy/Epe+3ux+Pac6dpZ+QPzq5mX8Qg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:47:10.521452904 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTZiN2IxNDEtMGFiZi00ZjllLThjNGYtMWMzMDkwZTVmZmNlIiwicGFnZV90aW1lIjoxNzM2OTU5NjMwLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	103.224.212.215	80	6640	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:10.770787954 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jan 15, 2025 17:47:11.364633083 CET	365	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:11 GMT server: Apache set-cookie: __tad=1736959631.7349370; expires=Sat, 13-Jan-2035 16:47:11 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-119b-90f6-837dd48231ad content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	199.59.243.228	80	6640	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:11.377120018 CET	169	OUT	GET /?subid1=20250116-0347-119b-90f6-837dd48231ad HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jan 15, 2025 17:47:11.840775013 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:11 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 76cd02e5-be51-46c7-bf9d-ed2841b01ee7 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XKhAs+dmRJFmIXAJnc7hv0FuEttwIWTZf5ULe7v8qTntP+3TuZ3qh/UuqW5pySY3R7lPiF5AWHUss8opPFKYdg== set-cookie: parking_session=76cd02e5-be51-46c7-bf9d-ed2841b01ee7; expires=Wed, 15 Jan 2025 17:02:11 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 58 4b 68 41 73 2b 64 6d 52 4a 46 6d 49 58 41 4a 6e 63 37 68 76 30 46 75 45 74 74 77 49 57 54 5a 66 35 55 4c 65 37 76 38 71 54 6e 74 50 2b 33 54 75 5a 33 71 68 2f 55 75 71 57 35 70 79 53 59 33 52 37 6c 50 69 46 35 41 57 48 55 73 73 38 6f 70 50 46 4b 59 64 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XKhAs+dmRJFmIXAJnc7hv0FuEttwIWTZf5ULe7v8qTntP+3TuZ3qh/UuqW5pySY3R7lPiF5AWHUss8opPFKYdg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 15, 2025 17:47:11.840790987 CET	696	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzZjZDAyZTUtYmU1MS00NmM3LWJmOWQtZWQyODQxYjAxZWU3IiwicGFnZV90aW1lIjoxNzM2OTU5NjMxLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49722	103.224.212.215	80	2380	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:11.615814924 CET	134	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache Cookie: __tad=1736959629.6434080
Jan 15, 2025 17:47:12.209203959 CET	269	IN	HTTP/1.1 302 Found date: Wed, 15 Jan 2025 16:47:12 GMT server: Apache location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-12c5-b838-b08634650efc content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49734	199.59.243.228	80	2380	C:\Windows\mssecsvr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 17:47:12.217854023 CET	231	OUT	GET /?subid1=20250116-0347-12c5-b838-b08634650efc HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive Cookie: parking_session=16b7b141-0abf-4f9e-8c4f-1c3090e5ffce
Jan 15, 2025 17:47:12.675833941 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 15 Jan 2025 16:47:11 GMT content-type: text/html; charset=utf-8 content-length: 1262 x-request-id: 110f454e-bcdf-430f-b591-5c92798fe0ad cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TFHPoQ09XhNUFqA8z9JCYW4zFuYAdH5PPDSLqrcqUmyw9eTaXBsoDPX25sWCFF2imdvS920XaIwtRzyXMX4shg== set-cookie: parking_session=16b7b141-0abf-4f9e-8c4f-1c3090e5ffce; expires=Wed, 15 Jan 2025 17:02:12 GMT Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 54 46 48 50 6f 51 30 39 58 68 4e 55 46 71 41 38 7a 39 4a 43 59 57 34 7a 46 75 59 41 64 48 35 50 50 44 53 4c 71 72 63 71 55 6d 79 77 39 65 54 61 58 42 73 6f 44 50 58 32 35 73 57 43 46 46 32 69 6d 64 76 53 39 32 30 58 61 49 77 74 52 7a 79 58 4d 58 34 73 68 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TFHPoQ09XhNUFqA8z9JCYW4zFuYAdH5PPDSLqrcqUmyw9eTaXBsoDPX25sWCFF2imdvS920XaIwtRzyXMX4shg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
Jan 15, 2025 17:47:12.675851107 CET	688	IN	Data Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTZiN2IxNDEtMGFiZi00ZjllLThjNGYtMWMzMDkwZTVmZmNlIiwicGFnZV90aW1lIjoxNzM2OTU5NjMyLCJwYWdlX3VybCI6Imh0dHA6L

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.5	49712	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:05 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 33 33 61 36 69 37 39 66 4b 55 57 68 39 45 56 49 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 65 39 30 39 30 33 30 36 63 33 62 35 33 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 33a6i79fKUWh9EVI.1Context: 93e9090306c3b53e
2025-01-15 16:47:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:05 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 33 33 61 36 69 37 39 66 4b 55 57 68 39 45 56 49 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 65 39 30 39 30 33 30 36 63 33 62 35 33 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 33a6i79fKUWh9EVI.2Context: 93e9090306c3b53e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:05 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 33 33 61 36 69 37 39 66 4b 55 57 68 39 45 56 49 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 65 39 30 39 30 33 30 36 63 33 62 35 33 65 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: 33a6i79fKUWh9EVI.3Context: 93e9090306c3b53e
2025-01-15 16:47:05 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:05 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 35 78 72 36 4e 2f 38 42 4f 55 32 30 6a 73 34 78 68 78 30 64 71 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 5xr6N/8BOU20js4xhx0dqg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.5	49718	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:09 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4a 76 43 76 2b 77 63 70 7a 30 65 58 64 50 50 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 33 66 66 65 38 38 35 31 66 62 30 31 65 34 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: JvCv+wcpz0eXdPPz.1Context: d3ffe8851fb01e45
2025-01-15 16:47:09 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:09 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4a 76 43 76 2b 77 63 70 7a 30 65 58 64 50 50 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 33 66 66 65 38 38 35 31 66 62 30 31 65 34 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: JvCv+wcpz0eXdPPz.2Context: d3ffe8851fb01e45<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:09 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 4a 76 43 76 2b 77 63 70 7a 30 65 58 64 50 50 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 33 66 66 65 38 38 35 31 66 62 30 31 65 34 35 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: JvCv+wcpz0eXdPPz.3Context: d3ffe8851fb01e45
2025-01-15 16:47:10 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:10 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 59 31 53 5a 58 51 6f 57 62 6b 47 53 4f 35 57 4b 79 67 4b 47 53 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Y1SZXQoWbkGSO5WKygKGSQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	49737	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:13 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6c 36 70 34 73 4e 6e 6b 54 45 57 31 31 6a 38 58 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 64 39 64 34 37 66 62 35 31 62 65 33 31 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: l6p4sNnkTEW11j8X.1Context: 81d9d47fb51be319
2025-01-15 16:47:13 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:13 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 36 70 34 73 4e 6e 6b 54 45 57 31 31 6a 38 58 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 64 39 64 34 37 66 62 35 31 62 65 33 31 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: l6p4sNnkTEW11j8X.2Context: 81d9d47fb51be319<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:13 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 36 70 34 73 4e 6e 6b 54 45 57 31 31 6a 38 58 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 64 39 64 34 37 66 62 35 31 62 65 33 31 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: l6p4sNnkTEW11j8X.3Context: 81d9d47fb51be319<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:13 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:13 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 36 6f 68 62 49 4d 38 70 38 45 2b 55 71 34 42 4a 70 6d 76 4f 57 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 6ohbIM8p8E+Uq4BJpmvOWQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.5	49813	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:19 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 70 6d 43 63 6a 45 6b 36 59 45 2b 4d 31 79 32 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 39 61 64 36 63 30 65 63 37 34 32 32 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: pmCcjEk6YE+M1y2z.1Context: a199ad6c0ec7422f
2025-01-15 16:47:19 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:19 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 70 6d 43 63 6a 45 6b 36 59 45 2b 4d 31 79 32 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 39 61 64 36 63 30 65 63 37 34 32 32 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: pmCcjEk6YE+M1y2z.2Context: a199ad6c0ec7422f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:19 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 70 6d 43 63 6a 45 6b 36 59 45 2b 4d 31 79 32 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 39 61 64 36 63 30 65 63 37 34 32 32 66 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: pmCcjEk6YE+M1y2z.3Context: a199ad6c0ec7422f
2025-01-15 16:47:19 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:19 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 46 37 55 35 36 44 37 49 76 30 53 44 77 45 71 32 44 61 44 48 7a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: F7U56D7Iv0SDwEq2DaDHzg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	49885	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:23 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6c 46 62 45 67 4a 65 54 78 6b 79 36 41 52 78 6d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 63 31 64 36 38 38 37 39 36 35 36 31 62 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: lFbEgJeTxky6ARxm.1Context: 3fc1d688796561bd
2025-01-15 16:47:23 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:23 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 46 62 45 67 4a 65 54 78 6b 79 36 41 52 78 6d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 63 31 64 36 38 38 37 39 36 35 36 31 62 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: lFbEgJeTxky6ARxm.2Context: 3fc1d688796561bd<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:23 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 46 62 45 67 4a 65 54 78 6b 79 36 41 52 78 6d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 66 63 31 64 36 38 38 37 39 36 35 36 31 62 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: lFbEgJeTxky6ARxm.3Context: 3fc1d688796561bd<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:23 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:23 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 78 33 33 2b 52 44 6f 56 48 45 61 6a 7a 51 35 59 4d 66 58 49 62 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: x33+RDoVHEajzQ5YMfXIbg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	50063	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:32 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 75 2f 6a 44 64 62 41 71 41 45 4f 44 43 77 47 6c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 36 34 62 36 39 32 61 66 35 37 38 31 39 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: u/jDdbAqAEODCwGl.1Context: 2e64b692af57819f
2025-01-15 16:47:32 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:32 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 75 2f 6a 44 64 62 41 71 41 45 4f 44 43 77 47 6c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 36 34 62 36 39 32 61 66 35 37 38 31 39 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: u/jDdbAqAEODCwGl.2Context: 2e64b692af57819f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:32 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 75 2f 6a 44 64 62 41 71 41 45 4f 44 43 77 47 6c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 36 34 62 36 39 32 61 66 35 37 38 31 39 66 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: u/jDdbAqAEODCwGl.3Context: 2e64b692af57819f
2025-01-15 16:47:32 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:32 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 61 50 59 6c 37 46 6b 38 48 45 79 32 75 62 79 63 44 43 49 36 38 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: aPYl7Fk8HEy2ubycDCI68w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	50174	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:40 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 50 33 55 2b 4d 47 70 4b 4d 45 32 65 42 47 2f 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 35 62 32 30 32 65 61 38 32 30 32 35 65 33 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: P3U+MGpKME2eBG/V.1Context: 55b202ea82025e3d
2025-01-15 16:47:40 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:40 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 50 33 55 2b 4d 47 70 4b 4d 45 32 65 42 47 2f 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 35 62 32 30 32 65 61 38 32 30 32 35 65 33 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: P3U+MGpKME2eBG/V.2Context: 55b202ea82025e3d<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:40 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 50 33 55 2b 4d 47 70 4b 4d 45 32 65 42 47 2f 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 35 62 32 30 32 65 61 38 32 30 32 35 65 33 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: P3U+MGpKME2eBG/V.3Context: 55b202ea82025e3d<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:47:40 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:40 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 4a 43 4e 50 49 36 4d 58 5a 30 6d 58 6d 4c 2b 37 78 75 4f 79 30 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: JCNPI6MXZ0mXmL+7xuOy0A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.5	50283	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:47:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 4e 54 4f 6b 46 65 5a 4c 30 47 70 70 38 41 4f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 65 38 62 36 33 32 61 64 34 62 32 39 35 39 37 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: NNTOkFeZL0Gpp8AO.1Context: 5e8b632ad4b29597
2025-01-15 16:47:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:47:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 4e 54 4f 6b 46 65 5a 4c 30 47 70 70 38 41 4f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 65 38 62 36 33 32 61 64 34 62 32 39 35 39 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: NNTOkFeZL0Gpp8AO.2Context: 5e8b632ad4b29597<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:47:54 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 4e 4e 54 4f 6b 46 65 5a 4c 30 47 70 70 38 41 4f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 65 38 62 36 33 32 61 64 34 62 32 39 35 39 37 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: NNTOkFeZL0Gpp8AO.3Context: 5e8b632ad4b29597
2025-01-15 16:47:54 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:47:54 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 41 64 63 67 58 31 52 6d 72 55 43 79 37 44 54 7a 7a 42 2f 34 2f 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: AdcgX1RmrUCy7DTzzB/4/A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.5	50373	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:48:04 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 5a 36 70 41 66 51 66 6d 66 55 61 38 35 6d 6e 57 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 38 64 65 30 30 66 39 32 65 61 39 32 33 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Z6pAfQfmfUa85mnW.1Context: 988de00f92ea9233
2025-01-15 16:48:04 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:48:04 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 5a 36 70 41 66 51 66 6d 66 55 61 38 35 6d 6e 57 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 38 64 65 30 30 66 39 32 65 61 39 32 33 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Z6pAfQfmfUa85mnW.2Context: 988de00f92ea9233<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:48:04 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 5a 36 70 41 66 51 66 6d 66 55 61 38 35 6d 6e 57 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 38 64 65 30 30 66 39 32 65 61 39 32 33 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Z6pAfQfmfUa85mnW.3Context: 988de00f92ea9233<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:48:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:48:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 55 5a 58 6e 76 6a 4c 64 53 55 57 2b 6c 37 6e 54 46 4f 6c 46 56 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: UZXnvjLdSUW+l7nTFOlFVA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	50638	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:48:24 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 32 48 48 5a 6f 4c 6b 47 72 55 65 6a 68 74 4e 49 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 65 32 36 65 66 32 64 64 36 33 35 30 64 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 2HHZoLkGrUejhtNI.1Context: 35e26ef2dd6350de
2025-01-15 16:48:24 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:48:24 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 32 48 48 5a 6f 4c 6b 47 72 55 65 6a 68 74 4e 49 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 65 32 36 65 66 32 64 64 36 33 35 30 64 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 2HHZoLkGrUejhtNI.2Context: 35e26ef2dd6350de<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:48:24 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 32 48 48 5a 6f 4c 6b 47 72 55 65 6a 68 74 4e 49 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 65 32 36 65 66 32 64 64 36 33 35 30 64 65 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: 2HHZoLkGrUejhtNI.3Context: 35e26ef2dd6350de
2025-01-15 16:48:24 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:48:24 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 49 55 68 59 79 64 7a 35 37 55 53 75 58 56 2b 68 45 37 6d 66 2b 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: IUhYydz57USuXV+hE7mf+Q.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.5	50639	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:48:36 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4c 72 30 4c 4a 76 56 4b 57 6b 75 57 49 6b 31 39 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 39 63 31 36 61 33 61 32 64 39 31 37 65 30 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Lr0LJvVKWkuWIk19.1Context: f9c16a3a2d917e0e
2025-01-15 16:48:36 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:48:36 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4c 72 30 4c 4a 76 56 4b 57 6b 75 57 49 6b 31 39 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 39 63 31 36 61 33 61 32 64 39 31 37 65 30 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Lr0LJvVKWkuWIk19.2Context: f9c16a3a2d917e0e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:48:36 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4c 72 30 4c 4a 76 56 4b 57 6b 75 57 49 6b 31 39 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 39 63 31 36 61 33 61 32 64 39 31 37 65 30 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Lr0LJvVKWkuWIk19.3Context: f9c16a3a2d917e0e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:48:36 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:48:36 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2f 73 62 4e 62 32 73 6d 52 30 79 68 68 79 4b 34 33 48 55 2f 46 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: /sbNb2smR0yhhyK43HU/Fg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.5	50640	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:49:04 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 4d 41 61 37 33 4d 67 4c 45 53 38 79 50 47 6d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 36 38 66 64 63 32 64 32 33 36 37 66 35 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: NMAa73MgLES8yPGm.1Context: 5768fdc2d2367f5d
2025-01-15 16:49:04 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:49:04 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 4d 41 61 37 33 4d 67 4c 45 53 38 79 50 47 6d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 36 38 66 64 63 32 64 32 33 36 37 66 35 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: NMAa73MgLES8yPGm.2Context: 5768fdc2d2367f5d<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:49:04 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 4e 4d 41 61 37 33 4d 67 4c 45 53 38 79 50 47 6d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 36 38 66 64 63 32 64 32 33 36 37 66 35 64 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: NMAa73MgLES8yPGm.3Context: 5768fdc2d2367f5d
2025-01-15 16:49:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:49:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 44 5a 44 39 37 41 46 50 35 30 53 46 78 4c 7a 5a 42 44 67 34 54 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: DZD97AFP50SFxLzZBDg4Tg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.5	50641	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:49:10 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 68 4d 69 41 56 49 58 6c 36 45 79 34 30 51 2f 44 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 62 35 65 31 30 31 37 39 62 36 62 35 34 61 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: hMiAVIXl6Ey40Q/D.1Context: 35b5e10179b6b54a
2025-01-15 16:49:10 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-15 16:49:10 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 68 4d 69 41 56 49 58 6c 36 45 79 34 30 51 2f 44 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 62 35 65 31 30 31 37 39 62 36 62 35 34 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 62 63 54 4c 76 42 36 55 4b 4b 61 52 6d 72 48 6e 76 55 58 6c 39 77 4c 53 63 61 76 49 64 44 78 6d 2f 4e 42 42 53 39 34 39 43 43 71 32 4c 72 6f 71 57 6c 34 6a 6c 64 45 31 79 4b 30 37 63 34 6b 70 48 37 30 73 52 4c 48 36 34 36 55 34 77 61 4f 70 65 4c 75 74 51 38 6a 6a 50 59 56 50 70 61 6d 6d 6c 4f 4e 6e 6e 64 4f 31 70 4c 4c 44 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: hMiAVIXl6Ey40Q/D.2Context: 35b5e10179b6b54a<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAbcTLvB6UKKaRmrHnvUXl9wLScavIdDxm/NBBS949CCq2LroqWl4jldE1yK07c4kpH70sRLH646U4waOpeLutQ8jjPYVPpammlONnndO1pLLDQ
2025-01-15 16:49:10 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 68 4d 69 41 56 49 58 6c 36 45 79 34 30 51 2f 44 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 35 62 35 65 31 30 31 37 39 62 36 62 35 34 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: hMiAVIXl6Ey40Q/D.3Context: 35b5e10179b6b54a<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-15 16:49:10 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-15 16:49:10 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 6c 70 39 72 76 41 56 44 45 69 56 43 57 4f 6d 49 71 66 43 6f 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Rlp9rvAVDEiVCWOmIqfCog.0Payload parsing failed.

Target ID:	0
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll"
Imagebase:	0x4a0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hNgIvHRuTU.dll,PlayGame
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",#1
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:47:07
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	526B41F0EBCFED2206ED1C567D79D1FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2135064930.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2135200599.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:47:09
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	526B41F0EBCFED2206ED1C567D79D1FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2156076914.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2156180423.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2803344917.0000000002282000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2803025512.0000000001D5C000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:47:10
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hNgIvHRuTU.dll",PlayGame
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:47:10
Start date:	15/01/2025
Path:	C:\Windows\mssecsvr.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvr.exe
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	526B41F0EBCFED2206ED1C567D79D1FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2164308144.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2177053960.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2164431927.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2176853198.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000005.00000002.2168364904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2168344272.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168387234.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168456694.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.2168364904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2168344272.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168387234.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168456694.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.2168364904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2168344272.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168387234.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168456694.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000005.00000002.2168364904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2168344272.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168387234.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168456694.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.2168364904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2168344272.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168387234.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168405539.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168456694.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2168553618.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvr.exePID: 6640, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2802160479.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2802127619.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802179594.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802240159.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802254528.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2802160479.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2802127619.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802179594.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802240159.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802254528.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.1, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000007.00000002.2802160479.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2802127619.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802179594.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802240159.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802254528.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12

Memory Dump Source

Source File: 00000007.00000002.2802160479.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2802127619.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802179594.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802240159.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802254528.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2802160479.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2802127619.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802179594.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802192389.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802226931.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802240159.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802254528.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2802339283.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hNgIvHRuTU.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
hNgIvHRuTU.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON