81.29.142.100

Summary (Bottom Line Up Front)

Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign targeting industrial control systems, databases, and enterprise services over a 68-day period from February to April 2026. The attacker demonstrated particular focus on MQTT messaging systems and Oracle databases, with 550 recorded events across 14 unique destination ports. Organizations should immediately block this IP and review logs for similar multi-protocol scanning patterns targeting OT/IT infrastructure. ##

ENIP EtherNet/IP HTTP MODBUS MQTT Modbus ORACLE Oracle/TNS RDP SMB SMTP SSH TCP TCP/SYN TLS TLS/1.0 Unknown auto http https https_tls_handshake modbus mqtt oracle smb smtp
MQTT_SUBSCRIBE EXPLOIT MQTT_PROBE ORACLE_SCAN PROTO_ABUSE
Activity Timeline
UPDATE 122026-04-26T08:30:08Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign targeting industrial control systems, databases, and enterprise services over a 68-day period from February to April 2026. The attacker demonstrated particular focus on MQTT messaging systems and Oracle databases, with 550 recorded events across 14 unique destination ports. Organizations should immediately block this IP and review logs for similar multi-protocol scanning patterns targeting OT/IT infrastructure.
New findings
Attack Vector: Multi-protocol network reconnaissance and exploitation attempts
Duration: February 17, 2026 23:00 - April 26, 2026 10:00 (68 days)
Volume: 550 events across 14 destination ports
Source: 81.29.142.100 (Russia, AbuseIPDB score: 100/100)
Primary Targets:
  • MQTT messaging systems (66 events - MQTT_SUBSCRIBE, MQTT_PROBE, MQTT_ENUMERATION)
  • Oracle databases (10 events - ORACLE_SCAN on port 1521)
  • SMB file shares (5 events - legacy SMBv1 probes on port 445)
  • SMTP services (5 events - EHLO reconnaissance on port 25)
  • Modbus industrial protocols (ICS targeting on port 502)
MITRE ATT&CK Mapping: T1595.001 (Active Scanning: Scanning IP Blocks)
Kill Chain Phase: Reconnaissance with exploitation attempts
Key IOCs: Systematic targeting of $SYS/MQTT topics, Oracle TNS connections, SMBv1 detection attempts
Recommendations
  • Block IP address 81.29.142.100 at network perimeter and review firewall logs for similar Russian-origin scanning activity
  • Audit MQTT broker configurations to ensure $SYS topics are properly restricted and authentication is enforced
  • Disable SMBv1 protocol across all Windows systems and monitor for legacy SMB connection attempts
  • Implement network segmentation between OT/ICS networks and IT infrastructure, particularly for Modbus and MQTT services
  • Review Oracle database exposure and ensure TNS listeners are not accessible from untrusted networks
UPDATE 112026-03-23T13:36:52Z
Source: Analyst Manual Entry
Russian IP address 81.29.142.100 conducted extensive multi-protocol reconnaissance targeting critical infrastructure services including SMTP, SMB, Modbus, and MQTT between February 17-March 23, 2026. Despite broad attack surface probing across 9 unique ports with 400+ events, current threat level assessed as LOW due to reconnaissance-phase activity with no observed exploitation. Organizations should implement enhanced monitoring for the identified protocols and block the source IP.
New findings
Threat actor leveraged diverse protocol stack including legacy SMBv1, industrial control system protocols (Modbus), and IoT messaging (MQTT) for systematic reconnaissance. Primary MITRE technique T1046 (Network Service Scanning) observed across attack patterns including SMTP service enumeration via EHLO commands, SMBv1 dialect negotiation attempts, Modbus broadcast attacks with function code 0x2B (Read Device ID), and MQTT subscription probing of system topics ($SYS/#). Source infrastructure traced to AS210259 (LLC Applied Computational Technologies) with maximum AbuseIPDB reputation score (100/100). Attack volume totaled 400 events over 34-day period with consistent multi-vector approach suggesting automated tooling.
Recommendations
  • Block IP address 81.29.142.100 at network perimeter and monitor for additional IPs from AS210259
  • Disable SMBv1 protocol across all systems and implement SMBv3 with encryption for required file sharing
  • Segment industrial control systems (ICS/SCADA) running Modbus from corporate networks using dedicated VLANs
  • Configure MQTT brokers to require authentication and disable anonymous access to system topics
  • Deploy enhanced logging for SMTP, SMB, Modbus, and MQTT protocols to detect similar reconnaissance patterns
UPDATE 102026-03-23T12:52:06Z
Source: Analyst Manual Entry
Russian IP address 81.29.142.100 conducted extensive multi-protocol reconnaissance targeting critical infrastructure services including SMTP, SMB, Modbus, and MQTT over a 34-day period from February 17-March 23, 2026. Despite the broad attack surface and 400 recorded events, this activity represents low-severity reconnaissance with no evidence of successful exploitation. Organizations should implement enhanced monitoring for the identified protocols and block the source IP.
New findings
The threat actor leveraged 10+ protocols (HTTP, MQTT, Modbus, Oracle/TNS, RDP, SMB, SSH, TLS, SMTP) to probe 9 unique destination ports, generating 400 security events. Primary attack patterns included SMTP service enumeration via EHLO commands, legacy SMBv1 protocol negotiation attempts, and industrial control system (ICS) targeting through Modbus broadcast attacks and device identification requests (FC=0x2B). The campaign maps to MITRE technique T1046 (Network Service Scanning) during the reconnaissance phase. Key indicators include source IP 81.29.142.100 (AS210259 LLC Applied Computational Technologies, Russia) with maximum AbuseIPDB reputation score (100/100), MQTT subscription attempts to system topics ($SYS/#), and SMBv1 vulnerability probing.
Recommendations
  • Block source IP 81.29.142.100 and monitor for additional activity from AS210259 network range
  • Disable SMBv1 protocol across all systems and implement SMBv2/v3 with signing requirements
  • Enhance monitoring for Modbus function code 0x2B (Read Device ID) and unauthorized MQTT subscriptions to system topics
  • Implement network segmentation to isolate ICS/SCADA systems from internet-facing infrastructure
  • Deploy additional logging for SMTP EHLO reconnaissance and Oracle TNS connection attempts
UPDATE 92026-03-22T08:20:49Z
Source: Analyst Manual Entry
Russian-origin IP 81.29.142.100 conducted extensive multi-protocol reconnaissance targeting critical infrastructure and enterprise services over 32 days, generating 387 malicious events across 9 protocols including SMB, Modbus, MQTT, and SMTP. This HIGH-severity campaign demonstrates advanced persistent threat characteristics with focus on industrial control systems and legacy Windows vulnerabilities. Immediate network hardening and monitoring enhancement recommended.
New findings
Threat actor conducted systematic reconnaissance from February 17 2026 23:00 through March 22 2026 00:00, targeting 9 unique destination ports across HTTP, MQTT, Modbus, Oracle/TNS, RDP, SMB, SSH, and SMTP protocols. Primary attack vectors included SMBv1 dialect negotiation (8 events), SMTP service enumeration (4 events), and Modbus industrial protocol exploitation attempts (6 events). Activity aligns with MITRE T1046 (Network Service Scanning) in the Reconnaissance phase. Notable attack patterns include legacy SMB protocol abuse, industrial control system targeting via Modbus broadcast attacks and device identification queries, and MQTT subscription-based reconnaissance. Source IP maintains 100/100 AbuseIPDB reputation score indicating established malicious infrastructure.
Recommendations
  • Block IP 81.29.142.100 at network perimeter and implement geofencing for Russian IP ranges if operationally feasible
  • Disable SMBv1 protocol across all Windows systems and implement SMB signing requirements
  • Segment industrial control systems (ICS/SCADA) from corporate networks and implement protocol-aware monitoring for Modbus traffic
  • Enable enhanced logging for SMTP, RDP, and Oracle services with focus on enumeration attempts
  • Deploy network behavior analytics to detect multi-protocol reconnaissance patterns and establish baseline traffic profiles for critical services
UPDATE 82026-03-22T08:11:22Z
Source: Analyst Manual Entry
Russian IP address 81.29.142.100 conducted extensive multi-protocol reconnaissance targeting critical infrastructure and enterprise services over 32 days, generating 387 malicious events across 9 protocols including SMB, MQTT, Modbus, and SMTP. This HIGH severity threat demonstrates advanced persistent reconnaissance capabilities consistent with pre-attack preparation for ransomware deployment or industrial control system compromise. Immediate defensive measures should focus on blocking the source IP and hardening exposed services.
New findings
Attack Profile: Sustained reconnaissance campaign from February 17 to March 22, 2026, targeting multiple protocols including SMB (SMBv1 dialect negotiation), MQTT (wildcard subscriptions), Modbus (broadcast attacks and device enumeration), SMTP (service probing), and additional protocols across 9 unique destination ports.
Key Techniques: MITRE T1046 (Network Service Scanning) with focus on vulnerable SMBv1 implementations, industrial control system enumeration via Modbus function code 43 (Read Device ID), MQTT broker reconnaissance using system topic wildcards, and SMTP service fingerprinting.
Threat Indicators: 100/100 AbuseIPDB reputation score, Russian origin (ASN unavailable), attack patterns include SMBv1 detection (5 hits), SMTP EHLO probing (4 hits), Modbus broadcast attacks (3 hits), and MQTT binary subscription attempts (4 hits total).
Assessment: High-confidence advanced reconnaissance consistent with pre-exploitation activities targeting both enterprise networks and industrial control systems.
Recommendations
  • Block IP address 81.29.142.100 at network perimeter and update threat intelligence feeds
  • Disable SMBv1 protocol across all Windows systems and verify SMBv2/v3 hardening configurations
  • Implement network segmentation to isolate industrial control systems and MQTT brokers from external access
  • Enable enhanced logging for SMB, SMTP, MQTT, and Modbus protocols to detect similar reconnaissance patterns
  • Conduct immediate vulnerability assessment of exposed services on ports targeted during this campaign
UPDATE 72026-03-22T08:10:20Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign from February 17 to March 22, 2026, targeting industrial control systems, messaging infrastructure, and network services across 387 attack events. The threat actor demonstrates advanced capabilities with sophisticated MQTT broker enumeration, Modbus industrial system probing, and legacy SMB exploitation attempts, assessed as HIGH severity with 85% confidence. Immediate implementation of protocol-specific monitoring and access controls is recommended to prevent further reconnaissance and potential lateral movement.
New findings
The threat actor employed a diverse attack vector portfolio spanning HTTP, MQTT, Modbus, Oracle/TNS, RDP, SMB, SSH, and TLS protocols across 9 unique destination ports. Primary techniques include MQTT wildcard topic subscription ($SYS/#) for broker enumeration, Modbus broadcast attacks and device identification queries (FC43), SMBv1 exploitation attempts, and SMTP service fingerprinting. Attack patterns align with MITRE T1046 (Network Service Scanning) during the reconnaissance phase, with notable focus on industrial control system protocols suggesting potential critical infrastructure targeting. The 100/100 AbuseIPDB reputation score and Russian geolocation (ASN unavailable) indicate established malicious infrastructure with no VPN obfuscation detected.
Recommendations
  • Block IP address 81.29.142.100 at network perimeter and implement geofencing for Russian IP ranges on critical industrial systems
  • Deploy enhanced monitoring for MQTT wildcard subscriptions, Modbus broadcast traffic, and SMBv1 protocol usage with immediate alerting
  • Implement network segmentation to isolate industrial control systems from general IT networks and restrict cross-protocol communications
  • Disable legacy protocols (SMBv1, TLS 1.0) where operationally feasible and enforce strong authentication on remaining industrial services
  • Conduct immediate asset inventory review for exposed MQTT brokers, Modbus devices, and other industrial systems accessible from external networks
UPDATE 62026-03-21T11:55:29Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign from February 17-March 21, 2026, targeting critical infrastructure protocols including MQTT, Modbus, SMB, and SMTP across 319 attack events. This HIGH-severity threat demonstrates sophisticated industrial control system (ICS) targeting capabilities with obfuscated MQTT reconnaissance techniques. Immediate network monitoring and protocol-specific hardening measures are recommended.
New findings
The attacker employed diverse reconnaissance techniques across nine unique destination ports, primarily targeting industrial and enterprise protocols. Key attack vectors included MQTT wildcard subscription attempts ($SYS/topic enumeration), Modbus broadcast attacks and device identification queries (function code 43), legacy SMBv1 exploitation attempts, and SMTP service enumeration. The campaign maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the reconnaissance phase of the cyber kill chain. Notable indicators include the use of binary-encoded MQTT payloads with obfuscation techniques and systematic probing of ICS-specific protocols. The source IP (81.29.142.100) originates from AS210259 (LLC Applied Computational Technologies) with a maximum AbuseIPDB reputation score of 100/100.
Recommendations
  • Implement network segmentation to isolate MQTT brokers and Modbus devices from internet-facing infrastructure
  • Deploy protocol-aware monitoring for MQTT $SYS/wildcard subscriptions and Modbus function code 43 requests
  • Disable SMBv1 protocol across all Windows systems and network shares immediately
  • Configure SMTP servers to restrict EHLO command responses to authenticated users only
  • Block traffic from AS210259 (LLC Applied Computational Technologies) and monitor for similar multi-protocol reconnaissance patterns
UPDATE 52026-03-19T08:52:45Z
Source: Analyst Manual Entry
Russian-origin threat actor (81.29.142.100) conducted sustained multi-protocol reconnaissance targeting enterprise and industrial control systems over 30-day period, with 279 attack events focusing on SMBv1 exploitation vectors and industrial protocols. Assessment: HIGH threat level with 85% confidence indicating likely precursor to ransomware or lateral movement operations. Immediate action required to harden SMB configurations and monitor industrial control system interfaces.
New findings
Attack Profile: Sustained reconnaissance campaign spanning February 17 - March 19, 2026, originating from AS210259 (LLC Applied Computational Technologies) with maximum AbuseIPDB reputation score (100/100). Primary attack vectors included SMBv1 protocol negotiation attempts, Modbus industrial control system probing, and SMTP service enumeration across 9 unique destination ports. MITRE Mapping: T1190 (Exploit Public-Facing Application) during reconnaissance phase of cyber kill chain. Key Indicators: SMBv1 dialect detection (10 total hits), Modbus broadcast attacks targeting device identification (Function Code 43), MQTT wildcard subscription attempts, and CRLF injection techniques. Volume Analysis: 279 total events with medium-severity attack patterns across HTTP, TLS, SMB, Oracle/TNS, and industrial protocols (Modbus, MQTT).
Recommendations
  • Immediately disable SMBv1 protocol on all Windows systems and network shares to prevent EternalBlue-style exploitation
  • Implement network segmentation to isolate industrial control systems (ICS/SCADA) from corporate networks and internet-facing services
  • Deploy enhanced monitoring for Modbus and MQTT protocol anomalies, particularly broadcast queries and wildcard subscription attempts
  • Block traffic from AS210259 (LLC Applied Computational Technologies) and implement geo-blocking for non-essential Russian IP ranges
  • Conduct urgent vulnerability assessment of public-facing Oracle/TNS and SMTP services identified during reconnaissance activity
UPDATE 42026-03-16T12:28:33Z
Source: Analyst Manual Entry
Russian-origin IP address 81.29.142.100 conducted sustained multi-protocol reconnaissance targeting enterprise and industrial control systems from February 17 to March 15, 2026, generating 245 malicious events across 9 destination ports. Assessment: CRITICAL threat level due to coordinated targeting of SMB, Modbus, MQTT, and SMTP services indicating preparation for lateral movement and potential ransomware deployment. Immediate network hardening and monitoring enhancement recommended.
New findings
Source: 81.29.142.100 (AS210259 LLC Applied Computational Technologies, Russia) with maximum AbuseIPDB reputation score (100/100). Attack campaign spanned 26 days targeting multiple protocols including SMBv1 negotiation attempts, Modbus industrial control system probes, MQTT IoT device reconnaissance, and SMTP service enumeration. Primary MITRE technique T1190 (Exploit Public-Facing Application) observed during reconnaissance phase of kill chain. Notable attack patterns include SMBv1 usage detection, Modbus broadcast attacks targeting function code 43 (device identification), MQTT wildcard subscription attempts, CRLF injection probes, and SMTP EHLO reconnaissance. High confidence (85%) assessment indicates sophisticated threat actor conducting systematic infrastructure mapping.
Recommendations
  • Block IP address 81.29.142.100 and monitor AS210259 network range for additional malicious activity
  • Disable SMBv1 protocol across all Windows systems and implement SMB signing requirements
  • Segment industrial control systems (ICS/SCADA) from corporate networks and restrict Modbus protocol access
  • Deploy enhanced monitoring for MQTT, Modbus, and SMB protocol anomalies on internet-facing services
  • Review and harden SMTP service configurations to prevent information disclosure via EHLO responses
UPDATE 32026-03-16T07:15:44Z
Source: Analyst Manual Entry
Russian-origin threat actor (81.29.142.100) conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over 26-day period ending March 15, 2026. Activity demonstrates sophisticated understanding of ICS/SCADA environments with focus on Modbus protocol exploitation and network service enumeration. Immediate defensive measures recommended for organizations operating industrial control systems.
New findings
Threat actor executed 245 attack events across 9 protocols including targeted ICS attacks via Modbus (functions 43 - device identification), MQTT wildcard subscriptions, SMBv1 exploitation attempts, and SMTP reconnaissance. Primary attack vectors included Modbus broadcast attacks for device discovery, CRLF injection techniques, and legacy SMB protocol abuse. Activity spans February 17 - March 15, 2026 timeframe with consistent targeting patterns. Source IP 81.29.142.100 (AS210259 LLC Applied Computational Technologies) maintains 100/100 AbuseIPDB reputation score indicating established malicious infrastructure. Attack patterns suggest reconnaissance phase of broader ICS-focused campaign with potential for operational technology disruption.
Recommendations
  • Block IP 81.29.142.100 and monitor AS210259 (LLC Applied Computational Technologies) for additional malicious activity
  • Implement network segmentation between IT and OT environments, restricting Modbus and MQTT protocols to authorized industrial networks only
  • Disable SMBv1 protocol across all systems and enable SMB signing to prevent lateral movement attempts
  • Deploy enhanced monitoring for Modbus function code 43 (device identification) requests and MQTT wildcard subscription attempts
  • Review and harden SMTP configurations to prevent reconnaissance via EHLO command enumeration
UPDATE 22026-03-15T09:02:10Z
Source: Analyst Manual Entry
Russian-origin threat actor (81.29.142.100) conducted sustained multi-protocol attacks targeting industrial control systems and enterprise infrastructure over 25 days, with 239 recorded events focusing on Modbus, MQTT, SMB, and SMTP protocols. Assessment indicates SUSPICIOUS activity with 80% confidence, suggesting potential advanced persistent threat (APT) reconnaissance and exploitation attempts. Immediate defensive measures recommended for organizations operating industrial control systems and legacy network protocols.
New findings
Threat actor demonstrated sophisticated multi-vector approach targeting both IT and OT environments. Primary attack vectors included Modbus function code 43 (Read Device Identification) attacks, MQTT wildcard subscription attempts, SMBv1 exploitation, and SMTP enumeration. Activity spanned February 17 - March 14, 2026, with attacks distributed across 9 unique destination ports. Notable techniques include Modbus broadcast attacks targeting industrial devices, CRLF injection attempts, and legacy SMB protocol abuse. Source IP (81.29.142.100) originates from AS210259 (LLC Applied Computational Technologies) with maximum AbuseIPDB reputation score (100/100). Attack pattern suggests reconnaissance phase of potential APT campaign targeting critical infrastructure.
Recommendations
  • Block IP 81.29.142.100 and monitor for additional activity from AS210259 network range
  • Implement network segmentation between IT and OT environments, restricting Modbus and MQTT traffic to authorized systems only
  • Disable SMBv1 protocol across all Windows systems and implement SMB signing requirements
  • Deploy enhanced monitoring for industrial protocol anomalies, particularly unsolicited Modbus function code 43 requests and MQTT wildcard subscriptions
  • Review and harden SMTP configurations to prevent enumeration attacks and implement rate limiting for connection attempts
UPDATE 12026-03-14T17:38:46Z
Source: batch_hunting
Russian-origin threat actor 81.29.142.100 conducted sustained multi-protocol reconnaissance targeting industrial control systems, SMTP, and SMB services over 25 days with 239 attack events. Assessment indicates MEDIUM-HIGH threat level with sophisticated APT characteristics focusing on critical infrastructure discovery. Immediate implementation of enhanced monitoring for Modbus, MQTT, and legacy SMB protocols is recommended.
New findings
Attacker demonstrated advanced reconnaissance capabilities across nine distinct protocols including Modbus (Function Code 43 device identification), MQTT wildcard subscriptions, SMBv1 exploitation attempts, and SMTP enumeration. Key attack patterns include Modbus broadcast attacks, CRLF injection techniques, and MQTT binary payload delivery. Activity timeline spans February 17, 2026 23:00 through March 14, 2026 09:00 with consistent targeting of industrial protocols. Source infrastructure traces to AS210259 (LLC Applied Computational Technologies) with maximum AbuseIPDB reputation score indicating established malicious infrastructure. Attack volume and protocol diversity suggests automated tooling with potential MITRE T1046 (Network Service Scanning) and T1082 (System Information Discovery) techniques.
Recommendations
  • Block traffic from 81.29.142.100 and monitor for additional infrastructure from AS210259
  • Implement enhanced logging and alerting for Modbus Function Code 43 and MQTT wildcard subscription attempts
  • Disable SMBv1 protocol across all network segments and audit legacy industrial systems for unnecessary service exposure
  • Deploy network segmentation between IT and OT environments with strict protocol filtering for Modbus and MQTT traffic
  • Conduct immediate asset inventory of industrial control systems and verify current patch levels for internet-facing services
INITIAL REPORT2026-03-14T08:33:57Z
Source: Analyst Manual Entry
Between February 17-March 14, 2026, sensors observed 217 malicious events from IP 81.29.142.100 (AS210259, Russia) targeting industrial control systems and enterprise services. The threat actor demonstrated multi-protocol reconnaissance and exploitation capabilities across Modbus, MQTT, SMB, and SMTP protocols with medium-severity attack patterns. Activity assessment: SUSPICIOUS with 80% confidence, indicating a technically proficient actor conducting broad-spectrum infrastructure reconnaissance.
Technical details
The threat actor employed multi-protocol attack vectors spanning 18 distinct protocols including HTTP, HTTPS, TLS/1.0, Modbus, Oracle/TNS, SMB, SMTP, and MQTT. Primary attack techniques included Modbus broadcast attacks (T1046/' target='_blank' style='color:#a78bfa;text-decoration:none;font-family:monospace;font-weight:600'>T1046 - Network Service Scanning), function code 43 device identification queries (T1082 - System Information Discovery), SMBv1 protocol abuse (T1021.002 - SMB/Windows Admin Shares), CRLF injection attempts (T1059 - Command and Scripting Interpreter), and MQTT wildcard subscription attacks (T1046). The actor targeted 9 unique destination ports with no specific CVE exploitation observed. Notable attack patterns included modbus_broadcast_binary and modbus_fc43_device_id_binary payloads indicating industrial control system reconnaissance capabilities.
IOCs
IP:81.29.142.100
ASN:210259
COUNTRY:RU
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 85%
Total Events 1,494
AbuseIPDB 100/100
Indicators of Compromise
ip 81.29.142.100
country RU
Captured Payloads (10)
high AI_DETECTED SMB:445 
f�SMBr(CNT LM 0.12
HIGH ANOMALY TCP:1521 
ET SCAN Suspicious inbound to Oracle SQL port 1521
medium CRLF HTTP:8080 
=0.8,en;q=0.7
User-Agent:
HIGH EXPLOIT TCP:25 
ET DROP Dshield Block Listed Source group 1
medium ICS_ATTACK modbus:502 
T0846 Read Device ID FC=0x2B unit=0
medium MODBUS modbus:502 
FC=0x2B in 5a4700000005002b0e0100
medium MQTT_ATTACK MQTT:1883 
$SYS/#
MEDIUM PROTO_ABUSE TCP:25 
SURICATA SMTP tls rejected
medium SMB smb:445 
SMBv1 protocol detected (vulnerable): ff534d42720000000018012800000000
medium SMB_SCAN SMB:445 
NT LM 0.12