Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jpXNd6Kt8z.dll

Overview

General Information

Sample name:jpXNd6Kt8z.dll
renamed because original name is a hash value
Original sample name:1bda83265aeaeda718ef23fca3e1fe8d.dll
Analysis ID:1591261
MD5:1bda83265aeaeda718ef23fca3e1fe8d
SHA1:b16681b565b5b6009fdfbe2ea2f3c0aa0603ed2f
SHA256:1db70e71afb728b64f3576a8c8ebd567cfc87203c6be2abd7adc0ebe635c0b80
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Wannacry ransomware
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Connects to several IPs in different countries
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • loaddll32.exe (PID: 7388 cmdline: loaddll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7476 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • mssecsvc.exe (PID: 7524 cmdline: C:\WINDOWS\mssecsvc.exe MD5: F231DD1364C3E09C7885EE23750D87A2)
          • tasksche.exe (PID: 7676 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3233ACED9279EF54267C479BBA665B90)
    • rundll32.exe (PID: 7484 cmdline: rundll32.exe C:\Users\user\Desktop\jpXNd6Kt8z.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7812 cmdline: rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvc.exe (PID: 7828 cmdline: C:\WINDOWS\mssecsvc.exe MD5: F231DD1364C3E09C7885EE23750D87A2)
        • tasksche.exe (PID: 7896 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3233ACED9279EF54267C479BBA665B90)
  • mssecsvc.exe (PID: 7616 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: F231DD1364C3E09C7885EE23750D87A2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
jpXNd6Kt8z.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    jpXNd6Kt8z.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x3028:$x7: mssecsvc.exe
    • 0x120ac:$x7: mssecsvc.exe
    • 0x1b3b4:$x7: mssecsvc.exe
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    jpXNd6Kt8z.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    SourceRuleDescriptionAuthorStrings
    C:\Windows\mssecsvc.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0x3136c:$x3: tasksche.exe
      • 0x4157c:$x3: tasksche.exe
      • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0x415d0:$x5: WNcry@2ol7
      • 0xe048:$x7: mssecsvc.exe
      • 0x17350:$x7: mssecsvc.exe
      • 0x31344:$x8: C:\%s\qeriuwjhrf
      • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0xe034:$s1: C:\%s\%s
      • 0x17338:$s1: C:\%s\%s
      • 0x31358:$s1: C:\%s\%s
      • 0x414d0:$s3: cmd.exe /c "%s"
      • 0x73a24:$s4: msg/m_portuguese.wnry
      • 0x2e68c:$s5: \\192.168.56.20\IPC$
      • 0x1ba81:$s6: \\172.16.99.5\IPC$
      • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
      • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
      • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
      • 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
      • 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
      C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
      • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
      • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
      • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
      • 0x1d439:$s1: __TREEID__PLACEHOLDER__
      • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
      • 0x1f508:$s1: __TREEID__PLACEHOLDER__
      • 0x20570:$s1: __TREEID__PLACEHOLDER__
      • 0x215d8:$s1: __TREEID__PLACEHOLDER__
      • 0x22640:$s1: __TREEID__PLACEHOLDER__
      • 0x236a8:$s1: __TREEID__PLACEHOLDER__
      • 0x24710:$s1: __TREEID__PLACEHOLDER__
      • 0x25778:$s1: __TREEID__PLACEHOLDER__
      • 0x267e0:$s1: __TREEID__PLACEHOLDER__
      • 0x27848:$s1: __TREEID__PLACEHOLDER__
      • 0x288b0:$s1: __TREEID__PLACEHOLDER__
      • 0x29918:$s1: __TREEID__PLACEHOLDER__
      • 0x2a980:$s1: __TREEID__PLACEHOLDER__
      • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
      • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
      • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
      • 0x2e340:$s1: __TREEID__PLACEHOLDER__
      C:\Windows\mssecsvc.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\mssecsvc.exeWin32_Ransomware_WannaCryunknownReversingLabs
      • 0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
      • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
      • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
      • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
      • 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
      Click to see the 4 entries
      SourceRuleDescriptionAuthorStrings
      0000000C.00000000.1423659379.000000000040E000.00000008.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        0000000B.00000002.1424940350.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000006.00000000.1392551862.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            Click to see the 24 entries
            SourceRuleDescriptionAuthorStrings
            8.2.mssecsvc.exe.1bf1084.5.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
            • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
            • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
            • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
            8.2.mssecsvc.exe.1bf1084.5.raw.unpackWin32_Ransomware_WannaCryunknownReversingLabs
            • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
            • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
            • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
            8.2.mssecsvc.exe.210c8c8.8.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
            • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
            • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
            • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
            8.2.mssecsvc.exe.210c8c8.8.raw.unpackWin32_Ransomware_WannaCryunknownReversingLabs
            • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
            • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
            • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
            8.2.mssecsvc.exe.1c23128.4.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              Click to see the 138 entries
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: jpXNd6Kt8z.dllAvira: detected
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/AD.WannaCry.jxpvm
              Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: TR/AD.WannaCry.jxpvm
              Source: C:\WINDOWS\qeriuwjhrf (copy)ReversingLabs: Detection: 100%
              Source: C:\WINDOWS\qeriuwjhrf (copy)Virustotal: Detection: 94%Perma Link
              Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 96%
              Source: C:\Windows\mssecsvc.exeVirustotal: Detection: 89%Perma Link
              Source: C:\Windows\tasksche.exeReversingLabs: Detection: 100%
              Source: C:\Windows\tasksche.exeVirustotal: Detection: 94%Perma Link
              Source: jpXNd6Kt8z.dllReversingLabs: Detection: 94%
              Source: jpXNd6Kt8z.dllVirustotal: Detection: 93%Perma Link
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
              Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
              Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
              Source: jpXNd6Kt8z.dllJoe Sandbox ML: detected
              Source: C:\Windows\tasksche.exeCode function: 9_2_004018B9 CryptReleaseContext,9_2_004018B9

              Exploits

              barindex
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Source: jpXNd6Kt8z.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: unknownNetwork traffic detected: IP country count 10
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
              Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Source: C:\Windows\tasksche.exeCode function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!9_2_004014A6
              Source: Yara matchFile source: jpXNd6Kt8z.dll, type: SAMPLE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1bfc0a4.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1c00104.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.211b948.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.21178e8.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1424940350.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1392551862.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.1421594801.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1399459695.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1399640398.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1392661939.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.1421736202.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7524, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7828, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED
              Source: Yara matchFile source: C:\Windows\tasksche.exe, type: DROPPED

              System Summary

              barindex
              Source: jpXNd6Kt8z.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: jpXNd6Kt8z.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.1bf1084.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1bf1084.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.210c8c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.210c8c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.1bfc0a4.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1bfc0a4.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.1c00104.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1c00104.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.211b948.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.211b948.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.21178e8.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.21178e8.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: 0000000C.00000000.1423659379.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000C.00000002.1424384794.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000009.00000000.1404985510.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.1399640398.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.1392661939.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000000.1421736202.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 9_2_00406C409_2_00406C40
              Source: C:\Windows\tasksche.exeCode function: 9_2_00402A769_2_00402A76
              Source: C:\Windows\tasksche.exeCode function: 9_2_00402E7E9_2_00402E7E
              Source: C:\Windows\tasksche.exeCode function: 9_2_0040350F9_2_0040350F
              Source: C:\Windows\tasksche.exeCode function: 9_2_00404C199_2_00404C19
              Source: C:\Windows\tasksche.exeCode function: 9_2_0040541F9_2_0040541F
              Source: C:\Windows\tasksche.exeCode function: 9_2_004037979_2_00403797
              Source: C:\Windows\tasksche.exeCode function: 9_2_004043B79_2_004043B7
              Source: C:\Windows\tasksche.exeCode function: 9_2_004031BC9_2_004031BC
              Source: Joe Sandbox ViewDropped File: C:\WINDOWS\qeriuwjhrf (copy) F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
              Source: mssecsvc.exe.4.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: tasksche.exe.6.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
              Source: jpXNd6Kt8z.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: jpXNd6Kt8z.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: jpXNd6Kt8z.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.1bf1084.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1bf1084.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.210c8c8.8.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.210c8c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.1c23128.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.210c8c8.8.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.1bfc0a4.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1bfc0a4.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.211b948.6.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.1c23128.4.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.1c00104.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1c00104.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.213e96c.9.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.211b948.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.211b948.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.213e96c.9.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.1c00104.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.21178e8.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.21178e8.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvc.exe.1bf1084.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 0000000C.00000000.1423659379.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000C.00000002.1424384794.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000009.00000000.1404985510.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.1399640398.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.1392661939.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000000.1421736202.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: mssecsvc.exe.4.drBinary string: C\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore\Logs
              Source: mssecsvc.exe.4.drBinary string: @\Device\HarddiskVolume2\Windows\System32\ru-RU\WinSATAPI.dll.mui
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysT
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysAUH
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dll
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wercplsupport.dll
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\QAGENTRT.DLL
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Locationp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sysp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysd
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\acpipmi.sysH
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sys
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\cabinet.dll
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABCO
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys&
              Source: mssecsvc.exe.4.drBinary string: h\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mapi32.dll
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru_PTC
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\Logs\SystemRestore
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys?
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys;
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
              Source: mssecsvc.exe.4.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\en-US\ipnat.sys.muip
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xmlp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys,
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SystemRestore-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\desktop.inip
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky009.catp
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_loc0D
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\amdk8.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdmo.dllF75p
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys@
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\umrdp.dllSTRP
              Source: mssecsvc.exe.4.drBinary string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgcmgr.exeST
              Source: mssecsvc.exe.4.drBinary string: -\Device\HarddiskVolume2\Windows\inf\mshdc.PNFp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.catp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep005.cat
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\1394ohci.sysp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\DFDWiz.exeU0IS$
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.cat\
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndiscap.PNF
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IE-Troubleshooters-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\shredlog.cfgp
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\partmgr.sys.mui
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F94FD5F2AAEFDB64257601230509A4E9H
              Source: mssecsvc.exe.4.drBinary string: Y\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.catp
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\httpapi.dllpp
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ListSvc.dll
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sysH
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\arcsas.sysX
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netpacer.inf_locDa
              Source: mssecsvc.exe.4.drBinary string: U\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png\
              Source: mssecsvc.exe.4.drBinary string: X\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft
              Source: mssecsvc.exe.4.drBinary string: Z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
              Source: mssecsvc.exe.4.drBinary string: x\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\AppIDp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sysCP
              Source: mssecsvc.exe.4.drBinary string: #\Device\HarddiskVolume3\
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\Windows\Performance
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\ehome\ehprivjob.exe
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catW
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\csllog.cfgLL
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\keyboard.PNF
              Source: mssecsvc.exe.4.drBinary string: m\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Myp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
              Source: mssecsvc.exe.4.drBinary string: o\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\windows-legacy-whql.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx004.catp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exes\S
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CATWp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp004.catWp
              Source: mssecsvc.exe.4.drBinary string: L\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\desktop.inip
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: O\Device\HarddiskVolume2\Windows\Temp\avg_a04392\avg-secure-search-installer.exep
              Source: mssecsvc.exe.4.drBinary string: -\Device\HarddiskVolume2\Windows\inf\input.PNFp
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sysH
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\TBAPI.dllM
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hdaudbus.inf_loc
              Source: mssecsvc.exe.4.drBinary string: P\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\battery.inf_loc
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_locBFFRp
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru1
              Source: mssecsvc.exe.4.drBinary string: c\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: {\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys1
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catore.p
              Source: mssecsvc.exe.4.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\UAGP35.SYS.mui
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en_CPU
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\input.inf_locH
              Source: mssecsvc.exe.4.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\ProgramData\Avg\log
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpwd.sys
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndiscap.inf_loctform.
              Source: mssecsvc.exe.4.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hoste`
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png
              Source: mssecsvc.exe.4.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\mpio.sys
              Source: mssecsvc.exe.4.drBinary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files'*
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_locCC
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys
              Source: mssecsvc.exe.4.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex,
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sysS,
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: ^\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows
              Source: mssecsvc.exe.4.drBinary string: v\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\WinSATAPI.dllp
              Source: mssecsvc.exe.4.drBinary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\desktop.ini:
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LocalPrinting-Home-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\nslog.cfgS
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_loc
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\acpi.inf_loc
              Source: mssecsvc.exe.4.drBinary string: ,\Device\HarddiskVolume2\Windows\Temp\_avast_p
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netsstpt.PNFwnp
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows Defender
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys9
              Source: mssecsvc.exe.4.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: S\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites\desktop.ini
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr009.cat1p
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\publog.cfgk
              Source: mssecsvc.exe.4.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkH
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\udhisapi.dll
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\HdAudio.sys.muip
              Source: mssecsvc.exe.4.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_loc
              Source: mssecsvc.exe.4.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\smb.sysH
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\schedlog.cfgp
              Source: mssecsvc.exe.4.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\MSMPEG2ENC.DLLp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sysp
              Source: mssecsvc.exe.4.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_us.lngp
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndisuio.PNFT`
              Source: mssecsvc.exe.4.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpagent.log.1
              Source: mssecsvc.exe.4.drBinary string: q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Contentp
              Source: mssecsvc.exe.4.drBinary string: m\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep003.cat
              Source: mssecsvc.exe.4.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001H
              Source: mssecsvc.exe.4.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_ru.lng>"
              Source: mssecsvc.exe.4.drBinary string: .\Device\HarddiskVolume2\Windows\inf\wfplwf.PNF
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\Performance\WinSAT
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
              Source: mssecsvc.exe.4.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cdrom.inf_locp
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdPHost.dll
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623
              Source: mssecsvc.exe.4.drBinary string: z\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.236.gthr
              Source: mssecsvc.exe.4.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002H
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sys
              Source: mssecsvc.exe.4.drBinary string: k\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00w.cat
              Source: mssecsvc.exe.4.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost8P
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysPD
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_loc
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\blbdrive.inf_locH
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc00c.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sysp
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasmans.dll
              Source: mssecsvc.exe.4.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs1
              Source: mssecsvc.exe.4.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Error ReportingPU
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\Temp\avg_a04392p
              Source: mssecsvc.exe.4.drBinary string: c\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibilityum
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00b.cat
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe}SDTL
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sys
              Source: mssecsvc.exe.4.drBinary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.catp
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aelupsvc.dll
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00d.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ciT
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasCMAK-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111~31bf3856ad364e35~x86~~6.1.1.0.cat
              Source: mssecsvc.exe.4.drBinary string: L\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
              Source: mssecsvc.exe.4.drBinary string: A\Device\HarddiskVolume2\Windows\System32\Speech\SpeechUX\sapi.cpl
              Source: mssecsvc.exe.4.drBinary string: L\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\/
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sysST
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sysp
              Source: mssecsvc.exe.4.drBinary string: f\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History68E:
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msdtckrm.dll
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.sys
              Source: mssecsvc.exe.4.drBinary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000H
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Users\Public\Documents\desktop.ini
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys F
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnts003.cat
              Source: mssecsvc.exe.4.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLsp
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\auditcse.dll
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\scfilter.sys.mui
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tbssvc.dllSTE
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx002.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usb.inf_locp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYSH
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catH
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntph.cat
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_locp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\en-USC
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.inip
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\advpack.dll
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\ncobjapi.dllp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Sensors-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\history.xml
              Source: mssecsvc.exe.4.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journal
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysh
              Source: mssecsvc.exe.4.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\sqlceqp30.dll
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.cat
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netserv.PNFTMP8p
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HomeBasicEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\inf\volsnap.PNFR07
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows~p
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\volmgrx.sys.muip
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysr
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.catlum
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux-AuxComp~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cat
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_loc
              Source: mssecsvc.exe.4.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\AMDAGP.SYS.mui
              Source: mssecsvc.exe.4.drBinary string: X\Device\HarddiskVolume2\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}t$p
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc005.catp
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\GAGP30KX.SYS.mui@p
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep002.catp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00c.catGQ
              Source: mssecsvc.exe.4.drBinary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sysskV
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\asyncmac.sys
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sysr*
              Source: mssecsvc.exe.4.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\AVG\AV\cfgall\fixcfg.lockc
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log
              Source: mssecsvc.exe.4.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe5E
              Source: mssecsvc.exe.4.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ruIE
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\wbem\Logs856p
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysA
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sysD
              Source: mssecsvc.exe.4.drBinary string: q\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysd
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exeAP7PDC
              Source: mssecsvc.exe.4.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.catCp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catid4
              Source: mssecsvc.exe.4.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.2H
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\pots.dllp
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: \\Device\HarddiskVolume2\Windows\System32\ru-RU\microsoft-windows-kernel-power-events.dll.mui
              Source: mssecsvc.exe.4.drBinary string: t\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.inim
              Source: mssecsvc.exe.4.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exeta
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat$0p
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\dot3svc.dllPN
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysw
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\pnrpauto.dll
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\winusb.sysiv
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpscript.dll
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\config\systemprofile\Favorites3
              Source: mssecsvc.exe.4.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\qmgr.dll
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky007.catp
              Source: mssecsvc.exe.4.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\SVCHOST.EXE-007FEA55.pf
              Source: mssecsvc.exe.4.drBinary string: S\Device\HarddiskVolume2\Program Files\Common Files\AV\avast! Antivirus\userdata.cab0_TS
              Source: mssecsvc.exe.4.drBinary string: A\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00y.catp
              Source: mssecsvc.exe.4.drBinary string: H\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
              Source: mssecsvc.exe.4.drBinary string: |\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.iniop
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\lpremove.exep
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys<\
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\System32\gatherNetworkInfo.vbs1
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat\
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sysD
              Source: mssecsvc.exe.4.drBinary string: O\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
              Source: mssecsvc.exe.4.drBinary string: S\Device\HarddiskVolume3\$RECYCLE.BIN\S-1-5-21-1870734524-1274666089-2119431859-1000H
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp002.catWp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catH
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\rascfg.dll.mui
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\User Profile Service
              Source: mssecsvc.exe.4.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avgwsc.exep
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
              Source: mssecsvc.exe.4.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\umbus.sys.mui
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\ru-RU\erofflps.txt
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpu320.sys
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CATo
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976902_RTM~31bf3856ad364e35~x86~~6.1.1.17514.cat
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dll
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Users\Public\Desktop\Google Chrome.lnk
              Source: mssecsvc.exe.4.drBinary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catp
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\Defrag.exe
              Source: mssecsvc.exe.4.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\AVGUIRNX.EXE-006CD133.pfp
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\inf\netvwififlt.PNFF4
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\aliide.sys
              Source: mssecsvc.exe.4.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\werconcpl.dll
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYSt
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysP
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catPROTp
              Source: mssecsvc.exe.4.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA_S
              Source: mssecsvc.exe.4.drBinary string: V\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetTrace
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sys
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_loc
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.cat
              Source: mssecsvc.exe.4.drBinary string: C\Device\HarddiskVolume2\Program Files\Internet Explorer\ieproxy.dll
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysH
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef.pakp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnts002.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~en-US~8.0.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaDataI
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_locp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00f.catCp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AMDAGP.SYS.pdap
              Source: mssecsvc.exe.4.drBinary string: 6\Device\HarddiskVolume2\ProgramData\Avg\AV\DB\stats.db\/
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem9.CATpx
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrFiltUp.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Personalization-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\Performance\WinSAT\DataStore
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\SndVol.exep
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys\
              Source: mssecsvc.exe.4.drBinary string: \\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Access Hostb
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catdp
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\WcsPlugInService.dll
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys$
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sdrsvc.dll
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbport.inf_loc
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.catHp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS
              Source: mssecsvc.exe.4.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtectionPM
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Xps-Foundation-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp003.catC
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Sidebar-Killbits-SDP-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catH
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky004.cat\
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: Z\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysX
              Source: mssecsvc.exe.4.drBinary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysW
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql2300.sys
              Source: mssecsvc.exe.4.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrast.inf_loc'*
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-6ff9b621-270c-4f57-87d7-93687ce43d15.tmpp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~en-US~6.1.7601.17514.cat5E5p
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt003.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: s\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0R
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\consent.exe
              Source: mssecsvc.exe.4.drBinary string: R\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffdisk.sys
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\DXP.dllp
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore
              Source: mssecsvc.exe.4.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgns.log.lock
              Source: mssecsvc.exe.4.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\smb.sys
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysfw\ZZ_
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cate
              Source: mssecsvc.exe.4.drBinary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem9.CATmp
              Source: mssecsvc.exe.4.drBinary string: L\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aitagent.exe
              Source: mssecsvc.exe.4.drBinary string: 1\Device\HarddiskVolume2\ProgramData\Microsoft\RAC
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\RacEngn.dllPU
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-6ff9b621-270c-4f57-87d7-93687ce43d15.tmp$
              Source: mssecsvc.exe.4.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Media Center\Extender
              Source: mssecsvc.exe.4.drBinary string: b\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgns.logUSB4
              Source: mssecsvc.exe.4.drBinary string: ,\Device\HarddiskVolume2\Windows\System32\wfpip
              Source: mssecsvc.exe.4.drBinary string: ^\Device\HarddiskVolume2\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys2
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\inf\compositebus.PNFp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sys(
              Source: mssecsvc.exe.4.drBinary string: /\Device\HarddiskVolume2\Windows\inf\machine.PNF
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Registry
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.dirp
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_loc
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacMetaData.dat
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mspqm.sysP5
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\vdrvroot.sys.mui
              Source: mssecsvc.exe.4.drBinary string: )\Device\HarddiskVolume2\Windows\Resources
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sys3
              Source: mssecsvc.exe.4.drBinary string: @\Device\HarddiskVolume2\Windows\System32\appidcertstorecheck.exe
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\IPSECSVC.DLL
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr008.cat
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00b.cat
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS\W
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: mssecsvc.exe.4.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\catroot2\edb.logp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys
              Source: mssecsvc.exe.4.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtxp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adp94xx.sysLP
              Source: mssecsvc.exe.4.drBinary string: b\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core~31bf3856ad364e35~x86~~7.6.7600.320.cat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.widV
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\GAGP30KX.SYS
              Source: mssecsvc.exe.4.drBinary string: .\Device\HarddiskVolume2\Windows\inf\netip6.PNF
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\SCardSvr.dll
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini&
              Source: mssecsvc.exe.4.drBinary string: V\Device\HarddiskVolume2\Users\
              Source: mssecsvc.exe.4.drBinary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\rdbss.sys.mui\p
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-27617c4e-7c1a-491f-b8be-a34d5070ed64.tmp|$hH
              Source: mssecsvc.exe.4.drBinary string: \Device\CdRom0PchSmi
              Source: mssecsvc.exe.4.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16rp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc003.catp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYSx
              Source: mssecsvc.exe.4.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\timedate.cplp
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysl\2
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky008.cat
              Source: mssecsvc.exe.4.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\fixcfg.log
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\wmp.dll
              Source: mssecsvc.exe.4.drBinary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookiesp
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.cat
              Source: mssecsvc.exe.4.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_locp
              Source: mssecsvc.exe.4.drBinary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ntfs.sys.mui
              Source: mssecsvc.exe.4.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSSVC.exe
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sys
              Source: mssecsvc.exe.4.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLsCPU1
              Source: mssecsvc.exe.4.drBinary string: 1\Device\HarddiskVolume2\Windows\Temp\CR_6DDFF.tmpp
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\url.dll
              Source: mssecsvc.exe.4.drBinary string: \Device\Harddisk0\DR0p
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys=\(
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catrs\p
              Source: mssecsvc.exe.4.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft$Hp
              Source: mssecsvc.exe.4.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\amdppm.sys.mui
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys|$P@
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00d.catp
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS8
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sys\/
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS3
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYS.
              Source: mssecsvc.exe.4.drBinary string: p\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtxxpp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Indexing-Service-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat\$p
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\flpydisk.sys
              Source: mssecsvc.exe.4.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
              Source: mssecsvc.exe.4.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPDGtn
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sysV
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SampleContent-Ringtones-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: 9\Device\HarddiskVolume2\Program Files\AVG\Av\avgmfapx.exep
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pfH
              Source: mssecsvc.exe.4.drBinary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem12.CAT
              Source: mssecsvc.exe.4.drBinary string: F\Device\HarddiskVolume2\Program Files\AVG Web TuneUp\BundleInstall.exe
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc004.cat
              Source: mssecsvc.exe.4.drBinary string: ?\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\icudtl.datp
              Source: mssecsvc.exe.4.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sys\
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys4
              Source: mssecsvc.exe.4.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\nettcpip.PNFS
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\MegaSR.sysDC2
              Source: mssecsvc.exe.4.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatformU3
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\umpass.sys
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys
              Source: mssecsvc.exe.4.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sys
              Source: mssecsvc.exe.4.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysd0`p
              Source: mssecsvc.exe.4.drBinary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.catSp
              Source: mssecsvc.exe.4.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
              Source: mssecsvc.exe.4.drBinary string: |\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.datp
              Source: mssecsvc.exe.4.drBinary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat:
              Source: mssecsvc.exe.4.drBinary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\processr.sys.mui
              Source: mssecsvc.exe.4.drBinary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\acpi.sys.mui
              Source: mssecsvc.exe.4.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sys
              Source: mssecsvc.exe.4.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys2\
              Source: mssecsvc.exe.4.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasauto.dll_S
              Source: mssecsvc.exe, 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1423659379.000000000040E000.00000008.00000001.01000000.00000007.sdmp, jpXNd6Kt8z.dll, tasksche.exe.6.dr, mssecsvc.exe.4.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@20/3@0/100
              Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,8_2_00407C40
              Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,9_2_00401CE8
              Source: C:\Windows\mssecsvc.exeCode function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,6_2_00407CE0
              Source: C:\Windows\mssecsvc.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvc.exeCode function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,6_2_00408090
              Source: C:\Windows\mssecsvc.exeCode function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,8_2_00408090
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
              Source: jpXNd6Kt8z.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jpXNd6Kt8z.dll,PlayGame
              Source: jpXNd6Kt8z.dllReversingLabs: Detection: 94%
              Source: jpXNd6Kt8z.dllVirustotal: Detection: 93%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jpXNd6Kt8z.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jpXNd6Kt8z.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: jpXNd6Kt8z.dllStatic file information: File size 5267459 > 1048576
              Source: jpXNd6Kt8z.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
              Source: C:\Windows\tasksche.exeCode function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_00401A45
              Source: C:\Windows\tasksche.exeCode function: 9_2_00407710 push eax; ret 9_2_0040773E
              Source: C:\Windows\tasksche.exeCode function: 9_2_004076C8 push eax; ret 9_2_004076E6

              Persistence and Installation Behavior

              barindex
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeThread delayed: delay time: 86400000Jump to behavior
              Source: C:\Windows\mssecsvc.exe TID: 7648Thread sleep count: 92 > 30Jump to behavior
              Source: C:\Windows\mssecsvc.exe TID: 7648Thread sleep time: -184000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvc.exe TID: 7660Thread sleep count: 125 > 30Jump to behavior
              Source: C:\Windows\mssecsvc.exe TID: 7660Thread sleep count: 44 > 30Jump to behavior
              Source: C:\Windows\mssecsvc.exe TID: 7648Thread sleep time: -86400000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\mssecsvc.exeThread delayed: delay time: 86400000Jump to behavior
              Source: mssecsvc.exe, 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1424441355.0000000000410000.00000002.00000001.01000000.00000007.sdmp, jpXNd6Kt8z.dll, tasksche.exe.6.dr, mssecsvc.exe.4.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
              Source: mssecsvc.exe, 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1424441355.0000000000410000.00000002.00000001.01000000.00000007.sdmp, jpXNd6Kt8z.dll, tasksche.exe.6.dr, mssecsvc.exe.4.drBinary or memory string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
              Source: mssecsvc.exe, 00000006.00000002.1411561625.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2039841020.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.1425479896.0000000000B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\tasksche.exeCode function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_00401A45
              Source: C:\Windows\tasksche.exeCode function: 9_2_004029CC free,GetProcessHeap,HeapFree,9_2_004029CC
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1Jump to behavior
              Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: mssecsvc.exe, 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1424441355.0000000000410000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe.6.dr, mssecsvc.exe.4.drBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Service Execution
              4
              Windows Service
              4
              Windows Service
              12
              Masquerading
              OS Credential Dumping1
              Network Share Discovery
              Remote Services1
              Archive Collected Data
              22
              Encrypted Channel
              Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Native API
              1
              DLL Side-Loading
              11
              Process Injection
              21
              Virtualization/Sandbox Evasion
              LSASS Memory121
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media1
              Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading
              11
              Process Injection
              Security Account Manager21
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information
              NTDS2
              System Information Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Rundll32
              LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading
              Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1591261 Sample: jpXNd6Kt8z.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 4 other signatures 2->66 9 loaddll32.exe 1 2->9         started        11 mssecsvc.exe 2->11         started        process3 dnsIp4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 1 9->20         started        23 conhost.exe 9->23         started        46 192.168.2.102 unknown unknown 11->46 48 192.168.2.103 unknown unknown 11->48 50 98 other IPs or domains 11->50 76 Connects to many different private IPs via SMB (likely to spread or exploit) 11->76 78 Connects to many different private IPs (likely to spread or exploit) 11->78 signatures5 process6 file7 25 rundll32.exe 15->25         started        58 Drops executables to the windows directory (C:\Windows) and starts them 17->58 27 mssecsvc.exe 1 17->27         started        40 C:\Windows\mssecsvc.exe, PE32 20->40 dropped signatures8 process9 file10 31 mssecsvc.exe 1 25->31         started        42 C:\WINDOWS\qeriuwjhrf (copy), PE32 27->42 dropped 80 Drops executables to the windows directory (C:\Windows) and starts them 27->80 35 tasksche.exe 27->35         started        signatures11 process12 file13 44 C:\Windows\tasksche.exe, PE32 31->44 dropped 52 Antivirus detection for dropped file 31->52 54 Multi AV Scanner detection for dropped file 31->54 56 Machine Learning detection for dropped file 31->56 37 tasksche.exe 31->37         started        signatures14 process15 signatures16 68 Detected Wannacry Ransomware 37->68 70 Antivirus detection for dropped file 37->70 72 Multi AV Scanner detection for dropped file 37->72 74 Machine Learning detection for dropped file 37->74

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              jpXNd6Kt8z.dll95%ReversingLabsWin32.Ransomware.WannaCry
              jpXNd6Kt8z.dll93%VirustotalBrowse
              jpXNd6Kt8z.dll100%AviraTR/AD.WannaCry.jxpvm
              jpXNd6Kt8z.dll100%Joe Sandbox ML
              SourceDetectionScannerLabelLink
              C:\Windows\tasksche.exe100%AviraTR/AD.WannaCry.jxpvm
              C:\Windows\mssecsvc.exe100%AviraTR/AD.WannaCry.jxpvm
              C:\Windows\tasksche.exe100%Joe Sandbox ML
              C:\Windows\mssecsvc.exe100%Joe Sandbox ML
              C:\WINDOWS\qeriuwjhrf (copy)100%ReversingLabsWin32.Ransomware.WannaCry
              C:\WINDOWS\qeriuwjhrf (copy)94%VirustotalBrowse
              C:\Windows\mssecsvc.exe97%ReversingLabsWin32.Ransomware.WannaCry
              C:\Windows\mssecsvc.exe90%VirustotalBrowse
              C:\Windows\tasksche.exe100%ReversingLabsWin32.Ransomware.WannaCry
              C:\Windows\tasksche.exe94%VirustotalBrowse
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No contacted domains info
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              149.96.103.1
              unknownUnited States
              16839SNCUSfalse
              149.96.103.2
              unknownUnited States
              16839SNCUSfalse
              220.92.122.1
              unknownKorea Republic of
              9708PKNU-ASPukyongNationalUniversityKRfalse
              93.252.137.1
              unknownGermany
              3320DTAGInternetserviceprovideroperationsDEfalse
              95.189.127.1
              unknownRussian Federation
              12389ROSTELECOM-ASRUfalse
              94.116.139.1
              unknownUnited Kingdom
              41012THECLOUDGBfalse
              146.143.226.222
              unknownUnited States
              7046RFC2270-UUNET-CUSTOMERUSfalse
              78.131.168.1
              unknownPoland
              20960TKTELEKOM-ASPLfalse
              108.154.178.174
              unknownUnited States
              16509AMAZON-02USfalse
              33.222.99.1
              unknownUnited States
              2686ATGS-MMD-ASUSfalse
              164.172.250.1
              unknownUnited States
              22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
              190.48.125.1
              unknownArgentina
              22927TelefonicadeArgentinaARfalse
              190.48.125.196
              unknownArgentina
              22927TelefonicadeArgentinaARfalse
              91.124.228.2
              unknownUkraine
              6849UKRTELNETUAfalse
              91.124.228.1
              unknownUkraine
              6849UKRTELNETUAfalse
              46.72.240.1
              unknownRussian Federation
              12714TI-ASMoscowRussiaRUfalse
              18.144.38.1
              unknownUnited States
              16509AMAZON-02USfalse
              211.197.80.1
              unknownKorea Republic of
              55592KDT-AS-KRKoreaDataTelecommunicationCoLtdKRfalse
              216.145.81.9
              unknownUnited States
              22792MNETUSfalse
              33.222.99.200
              unknownUnited States
              2686ATGS-MMD-ASUSfalse
              221.249.132.66
              unknownJapan17506UCOMARTERIANetworksCorporationJPfalse
              IP
              192.168.2.148
              192.168.2.149
              192.168.2.146
              192.168.2.147
              192.168.2.140
              192.168.2.141
              192.168.2.144
              192.168.2.145
              192.168.2.142
              192.168.2.143
              192.168.2.159
              192.168.2.157
              192.168.2.158
              192.168.2.151
              192.168.2.152
              192.168.2.150
              192.168.2.155
              192.168.2.156
              192.168.2.153
              192.168.2.154
              192.168.2.126
              192.168.2.247
              192.168.2.127
              192.168.2.248
              192.168.2.124
              192.168.2.245
              192.168.2.125
              192.168.2.246
              192.168.2.128
              192.168.2.249
              192.168.2.129
              192.168.2.240
              192.168.2.122
              192.168.2.243
              192.168.2.123
              192.168.2.244
              192.168.2.120
              192.168.2.241
              192.168.2.121
              192.168.2.242
              192.168.2.97
              192.168.2.137
              192.168.2.96
              192.168.2.138
              192.168.2.99
              192.168.2.135
              192.168.2.98
              192.168.2.136
              192.168.2.139
              192.168.2.250
              192.168.2.130
              192.168.2.251
              192.168.2.91
              192.168.2.90
              192.168.2.93
              192.168.2.133
              192.168.2.254
              192.168.2.92
              192.168.2.134
              192.168.2.95
              192.168.2.131
              192.168.2.252
              192.168.2.94
              192.168.2.132
              192.168.2.253
              192.168.2.104
              192.168.2.225
              192.168.2.105
              192.168.2.226
              192.168.2.102
              192.168.2.223
              192.168.2.103
              192.168.2.224
              192.168.2.108
              192.168.2.229
              192.168.2.109
              192.168.2.106
              192.168.2.227
              192.168.2.107
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1591261
              Start date and time:2025-01-14 20:56:11 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 53s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:jpXNd6Kt8z.dll
              renamed because original name is a hash value
              Original Sample Name:1bda83265aeaeda718ef23fca3e1fe8d.dll
              Detection:MAL
              Classification:mal100.rans.expl.evad.winDLL@20/3@0/100
              EGA Information:
              • Successful, ratio: 66.7%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .dll
              • Stop behavior analysis, all processes terminated
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 172.202.163.200
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target tasksche.exe, PID 7676 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryValueKey calls found.
              TimeTypeDescription
              14:57:12API Interceptor1x Sleep call for process: loaddll32.exe modified
              14:57:45API Interceptor112x Sleep call for process: mssecsvc.exe modified
              No context
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              DTAGInternetserviceprovideroperationsDEFantazy.arm4.elfGet hashmaliciousUnknownBrowse
              • 79.245.98.134
              meth1.elfGet hashmaliciousMiraiBrowse
              • 87.158.141.129
              arm4.elfGet hashmaliciousUnknownBrowse
              • 217.95.63.155
              m68k.elfGet hashmaliciousUnknownBrowse
              • 79.192.139.191
              x86.elfGet hashmaliciousUnknownBrowse
              • 87.181.123.222
              meth4.elfGet hashmaliciousMiraiBrowse
              • 84.143.15.193
              arm5.elfGet hashmaliciousUnknownBrowse
              • 129.181.212.44
              i486.elfGet hashmaliciousUnknownBrowse
              • 84.162.239.118
              meth14.elfGet hashmaliciousMiraiBrowse
              • 93.196.38.24
              meth9.elfGet hashmaliciousMiraiBrowse
              • 87.139.190.207
              PKNU-ASPukyongNationalUniversityKRloligang.spc.elfGet hashmaliciousMiraiBrowse
              • 210.119.2.209
              firmware.i586.elfGet hashmaliciousUnknownBrowse
              • 220.92.107.182
              AmB1BEuML9.elfGet hashmaliciousUnknownBrowse
              • 220.92.107.117
              QH7ZIJS8m7.elfGet hashmaliciousMiraiBrowse
              • 220.92.107.110
              jo7EyIiUsZ.elfGet hashmaliciousMiraiBrowse
              • 220.92.107.180
              HjcfRxS8pZ.elfGet hashmaliciousMiraiBrowse
              • 220.92.107.183
              mirai.arm.elfGet hashmaliciousMiraiBrowse
              • 210.119.5.11
              9fXSSSJdYd.elfGet hashmaliciousMiraiBrowse
              • 220.92.107.152
              TLPP4GPVY6.elfGet hashmaliciousMiraiBrowse
              • 220.92.107.155
              86o0jBHkWl.elfGet hashmaliciousMirai, MoobotBrowse
              • 14.44.120.77
              SNCUSoriginal.emlGet hashmaliciousUnknownBrowse
              • 149.96.176.144
              https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
              • 149.96.145.29
              SecuriteInfo.com.Linux.Siggen.9999.2027.4559.elfGet hashmaliciousMiraiBrowse
              • 148.139.211.25
              https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316eGet hashmaliciousUnknownBrowse
              • 148.139.13.160
              https://portal.basware.com/user/password/reset/3f790ddb-1bed-488e-a431-6d4f1205a347Get hashmaliciousUnknownBrowse
              • 149.96.120.9
              botx.mips.elfGet hashmaliciousMiraiBrowse
              • 149.96.42.204
              https://us02web.zoom.us/webinar/register/WN_7CDol1QPS2eD_bT1ntjWmgGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registrationGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              Doc3.docxGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              RDEHNTKF1V.elfGet hashmaliciousMirai, MoobotBrowse
              • 148.139.66.169
              SNCUSoriginal.emlGet hashmaliciousUnknownBrowse
              • 149.96.176.144
              https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
              • 149.96.145.29
              SecuriteInfo.com.Linux.Siggen.9999.2027.4559.elfGet hashmaliciousMiraiBrowse
              • 148.139.211.25
              https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316eGet hashmaliciousUnknownBrowse
              • 148.139.13.160
              https://portal.basware.com/user/password/reset/3f790ddb-1bed-488e-a431-6d4f1205a347Get hashmaliciousUnknownBrowse
              • 149.96.120.9
              botx.mips.elfGet hashmaliciousMiraiBrowse
              • 149.96.42.204
              https://us02web.zoom.us/webinar/register/WN_7CDol1QPS2eD_bT1ntjWmgGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registrationGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              Doc3.docxGet hashmaliciousUnknownBrowse
              • 149.96.161.28
              RDEHNTKF1V.elfGet hashmaliciousMirai, MoobotBrowse
              • 148.139.66.169
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\WINDOWS\qeriuwjhrf (copy)AIuBPU1Zm5.exeGet hashmaliciousWannacryBrowse
                y2jb4FtSNq.dllGet hashmaliciousWannacry, VirutBrowse
                  7B6t4L7E2o.dllGet hashmaliciousWannacryBrowse
                    4GDffePnzH.dllGet hashmaliciousWannacryBrowse
                      HFKDS6VcNO.dllGet hashmaliciousWannacry, VirutBrowse
                        FjYNZSPNkt.dllGet hashmaliciousWannacry, VirutBrowse
                          kBBdc7Aoj4.dllGet hashmaliciousWannacry, VirutBrowse
                            tct5NKwZY8.dllGet hashmaliciousWannacryBrowse
                              7KPQg3aXdC.dllGet hashmaliciousWannacry, VirutBrowse
                                ngFFOGiE7Y.dllGet hashmaliciousWannacryBrowse
                                  Process:C:\Windows\mssecsvc.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3514368
                                  Entropy (8bit):6.5250408221172975
                                  Encrypted:false
                                  SSDEEP:49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAL:QqPoBhz1aRxcSUDk36SA8
                                  MD5:3233ACED9279EF54267C479BBA665B90
                                  SHA1:0B2CC142386641901511269503CDF6F641FAD305
                                  SHA-256:F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
                                  SHA-512:55F25C51FFB89D46F2A7D2ED9B67701E178BD68E74B71D757D5FA14BD9530A427104FC36116633033EAD762ECF7960AB96429F5B0A085A701001C6832BA4555E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 100%
                                  • Antivirus: Virustotal, Detection: 94%, Browse
                                  Joe Sandbox View:
                                  • Filename: AIuBPU1Zm5.exe, Detection: malicious, Browse
                                  • Filename: y2jb4FtSNq.dll, Detection: malicious, Browse
                                  • Filename: 7B6t4L7E2o.dll, Detection: malicious, Browse
                                  • Filename: 4GDffePnzH.dll, Detection: malicious, Browse
                                  • Filename: HFKDS6VcNO.dll, Detection: malicious, Browse
                                  • Filename: FjYNZSPNkt.dll, Detection: malicious, Browse
                                  • Filename: kBBdc7Aoj4.dll, Detection: malicious, Browse
                                  • Filename: tct5NKwZY8.dll, Detection: malicious, Browse
                                  • Filename: 7KPQg3aXdC.dll, Detection: malicious, Browse
                                  • Filename: ngFFOGiE7Y.dll, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3723264
                                  Entropy (8bit):6.52788819151477
                                  Encrypted:false
                                  SSDEEP:49152:VnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:Z8qPoBhz1aRxcSUDk36SA
                                  MD5:F231DD1364C3E09C7885EE23750D87A2
                                  SHA1:5EC0790003098D4775A6C462EED89D40C0A0A205
                                  SHA-256:BAA194CE631063952147F72D3BAB6DFB0AD45EE619ED53ED3235BB88C433D6DB
                                  SHA-512:C0254E818FB87C342B2505A6392BFF84E345CD4C501925DC4823DB9710BC9D2D29032FC5B2B7F7A30D5263B7704C29340D6AC113F1C94FB935E85D2FDEA0D4B8
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                  • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 97%
                                  • Antivirus: Virustotal, Detection: 90%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\mssecsvc.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3514368
                                  Entropy (8bit):6.5250408221172975
                                  Encrypted:false
                                  SSDEEP:49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAL:QqPoBhz1aRxcSUDk36SA8
                                  MD5:3233ACED9279EF54267C479BBA665B90
                                  SHA1:0B2CC142386641901511269503CDF6F641FAD305
                                  SHA-256:F60F8A6BCAF1384A0D6A76D3E88007A8604560B263D2B8AEEE06FD74C9EE5B3B
                                  SHA-512:55F25C51FFB89D46F2A7D2ED9B67701E178BD68E74B71D757D5FA14BD9530A427104FC36116633033EAD762ECF7960AB96429F5B0A085A701001C6832BA4555E
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 100%
                                  • Antivirus: Virustotal, Detection: 94%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................
                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):5.011750025019805
                                  TrID:
                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                  • DOS Executable Generic (2002/1) 0.20%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:jpXNd6Kt8z.dll
                                  File size:5'267'459 bytes
                                  MD5:1bda83265aeaeda718ef23fca3e1fe8d
                                  SHA1:b16681b565b5b6009fdfbe2ea2f3c0aa0603ed2f
                                  SHA256:1db70e71afb728b64f3576a8c8ebd567cfc87203c6be2abd7adc0ebe635c0b80
                                  SHA512:706232da2c749447de20ee0edca6732a13c7a1e93e310cc72f1e5b254a687b19ef63620f54a6e1201302d23a47d71bb0b20b9186000c7467ef3d82d4fdfe917c
                                  SSDEEP:49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:d8qPoBhz1aRxcSUDk36SA
                                  TLSH:7936F601D2E51AA0DAF25FF7267ADB10833A6E45895BA66E1221500F0C77F1CDDE6F2C
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......
                                  Icon Hash:7ae282899bbab082
                                  Entrypoint:0x100011e9
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x10000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                  DLL Characteristics:
                                  Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:2e5708ae5fed0403e8117c645fb23e5b
                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  push ebx
                                  mov ebx, dword ptr [ebp+08h]
                                  push esi
                                  mov esi, dword ptr [ebp+0Ch]
                                  push edi
                                  mov edi, dword ptr [ebp+10h]
                                  test esi, esi
                                  jne 00007F6D50B1DA2Bh
                                  cmp dword ptr [10003140h], 00000000h
                                  jmp 00007F6D50B1DA48h
                                  cmp esi, 01h
                                  je 00007F6D50B1DA27h
                                  cmp esi, 02h
                                  jne 00007F6D50B1DA44h
                                  mov eax, dword ptr [10003150h]
                                  test eax, eax
                                  je 00007F6D50B1DA2Bh
                                  push edi
                                  push esi
                                  push ebx
                                  call eax
                                  test eax, eax
                                  je 00007F6D50B1DA2Eh
                                  push edi
                                  push esi
                                  push ebx
                                  call 00007F6D50B1D93Ah
                                  test eax, eax
                                  jne 00007F6D50B1DA26h
                                  xor eax, eax
                                  jmp 00007F6D50B1DA70h
                                  push edi
                                  push esi
                                  push ebx
                                  call 00007F6D50B1D7ECh
                                  cmp esi, 01h
                                  mov dword ptr [ebp+0Ch], eax
                                  jne 00007F6D50B1DA2Eh
                                  test eax, eax
                                  jne 00007F6D50B1DA59h
                                  push edi
                                  push eax
                                  push ebx
                                  call 00007F6D50B1D916h
                                  test esi, esi
                                  je 00007F6D50B1DA27h
                                  cmp esi, 03h
                                  jne 00007F6D50B1DA48h
                                  push edi
                                  push esi
                                  push ebx
                                  call 00007F6D50B1D905h
                                  test eax, eax
                                  jne 00007F6D50B1DA25h
                                  and dword ptr [ebp+0Ch], eax
                                  cmp dword ptr [ebp+0Ch], 00000000h
                                  je 00007F6D50B1DA33h
                                  mov eax, dword ptr [10003150h]
                                  test eax, eax
                                  je 00007F6D50B1DA2Ah
                                  push edi
                                  push esi
                                  push ebx
                                  call eax
                                  mov dword ptr [ebp+0Ch], eax
                                  mov eax, dword ptr [ebp+0Ch]
                                  pop edi
                                  pop esi
                                  pop ebx
                                  pop ebp
                                  retn 000Ch
                                  jmp dword ptr [10002028h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  Programming Language:
                                  • [ C ] VS98 (6.0) build 8168
                                  • [C++] VS98 (6.0) build 8168
                                  • [RES] VS98 (6.0) cvtres build 1720
                                  • [LNK] VS98 (6.0) imp/exp build 8168
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x28c0x10008de9a2cb31e4c74bd008b871d14bfafcFalse0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x20000x1d80x10003dd394f95ab218593f2bc8eb65184db4False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x30000x1540x1000fe5022c5b5d015ad38b2b77fc437a5cbFalse0.016845703125Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 00.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x40000x5000600x50100089d94d4c137e7fdd694ba8dd7ac0e120unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x5050000x2ac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  W0x40600x500000dataEnglishUnited States0.8770351409912109
                                  DLLImport
                                  KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                  MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf
                                  NameOrdinalAddress
                                  PlayGame10x10001114
                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 14, 2025 20:57:04.103540897 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.106825113 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.111989975 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.114974022 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.115000963 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.115068913 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.117353916 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.122186899 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.128985882 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.129000902 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.129091024 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.131505013 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.131680965 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.136473894 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.207472086 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.210634947 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.212634087 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.212660074 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.212749004 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.214971066 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.215107918 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.219885111 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.229032040 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.229063034 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.229132891 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.231837034 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.231966972 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.236856937 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.307452917 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.311176062 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.312267065 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.312304974 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.312351942 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.312388897 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.314740896 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.314815044 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.319545031 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.331233978 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.331252098 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.331351042 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.334445000 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.334469080 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.339478970 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.409903049 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.409920931 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.409984112 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.413805962 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.414531946 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.419266939 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.419348001 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.421483994 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.431385040 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.431400061 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.431468010 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.434206009 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.435025930 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.439914942 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.511223078 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.511243105 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.511344910 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.514905930 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.515598059 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.518794060 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.520412922 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.520942926 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.531496048 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.531512976 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.531589031 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.534265995 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.535027981 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.539868116 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.612412930 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.612432957 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.612514019 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.615746021 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.616664886 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.621469021 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.627387047 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.629379034 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.631648064 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.631663084 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.631721020 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.634491920 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.635118961 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.639441967 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.680314064 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.716603041 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.716623068 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.716691017 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.719994068 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.720733881 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.724782944 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.725739002 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.727057934 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.728833914 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.731909037 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.731923103 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.731985092 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.734421968 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.735181093 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.739185095 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.786421061 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.827861071 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.830497980 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.832513094 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.832556963 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.832586050 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.832612038 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.834598064 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.835366011 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.835944891 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.835989952 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.835992098 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.836003065 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.836038113 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.838910103 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.839737892 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.840126991 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.843722105 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.845110893 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.928006887 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.930641890 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.931262016 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.933329105 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.936547041 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.936558962 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.936604977 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.936625004 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.939194918 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.939822912 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:04.943984985 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:04.988158941 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.044325113 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.046801090 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.051867962 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.085740089 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.085752010 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.085788965 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.085864067 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.089050055 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.089826107 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.094712019 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.139409065 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.142915010 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.143693924 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.148488045 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.173547983 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.176070929 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.202579975 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.202775002 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.202843904 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.206021070 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.206671000 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.211688995 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.253880024 CET49676443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:05.253892899 CET49675443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:05.319802999 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.322402000 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.368218899 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.472628117 CET49674443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:05.689421892 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.689443111 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.689627886 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.690419912 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.690493107 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.690536022 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.720345974 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.721144915 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.725228071 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.725956917 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.776879072 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.784327030 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.789187908 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:05.838073969 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:05.842859983 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.000530005 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.006210089 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.030193090 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.030211926 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.030226946 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.030250072 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.030333996 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.030513048 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.094589949 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.095192909 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.095468044 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.099982023 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.114351034 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.120742083 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.123178959 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.127962112 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.200943947 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.200969934 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.201184988 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.213543892 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.218576908 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.218657017 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.218663931 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.228877068 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.229013920 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.229650021 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.233788967 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.262690067 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.263350010 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.267497063 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.308161974 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.333152056 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.333225012 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.333296061 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.355290890 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.361526966 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.361541986 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.361639977 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.374042988 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.378853083 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.383321047 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.384475946 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.388107061 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.389305115 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.425118923 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.429956913 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.439174891 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.444003105 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.470812082 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.480612040 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.480639935 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.480712891 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.523113966 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.532314062 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.535773039 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.536732912 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.541640043 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.568181038 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.589535952 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.592242956 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.597049952 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.667423964 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.667505980 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.667573929 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.682167053 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.687232018 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.687272072 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.687306881 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.701796055 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.710231066 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.715043068 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.719953060 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.721529007 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.728653908 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.737004042 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.785502911 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.798451900 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.813690901 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.813771009 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.818645000 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.818825006 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.818869114 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.847148895 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.849042892 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.851954937 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.853956938 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.855817080 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.858541965 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.860583067 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.863284111 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.899961948 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.941348076 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.943237066 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.944616079 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.944637060 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.944664001 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.944691896 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.955792904 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.955821991 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.955878973 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.961286068 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.971621037 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:06.976500034 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:06.998480082 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.007630110 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.012542009 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.043373108 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.055922031 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.064127922 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.074476004 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.091141939 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.096853018 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.100128889 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.100183964 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.103200912 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.107994080 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.148396015 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.151199102 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.167085886 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.169642925 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.200654030 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.200684071 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.200854063 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.203653097 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.203780890 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.208589077 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.243901968 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.246795893 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.277544975 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.280356884 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.283337116 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.285453081 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.290260077 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.301676035 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.301692009 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.301740885 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.305136919 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.305495024 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.310317039 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.389727116 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.392635107 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.399667025 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.401771069 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.405679941 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.405740976 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.406050920 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.406099081 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.408205986 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.408256054 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.414345980 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.456216097 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.485692978 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.489634037 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.493360043 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.494524002 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.496700048 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.500803947 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.500868082 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.502784967 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.505920887 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.505934954 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.505990982 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.507975101 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.508086920 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.514276028 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.560571909 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.590162039 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.593070984 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.593475103 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.593626022 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.595407009 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.597944975 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.600203991 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.600375891 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.602291107 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.605153084 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.605166912 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.605218887 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.605256081 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.607074976 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.607242107 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.612018108 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.656225920 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.692492962 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.692512989 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.692573071 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.695234060 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.695308924 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.699858904 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.700927973 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.700938940 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.701837063 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.706353903 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.706367016 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.706418991 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.709032059 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.709110022 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.715173960 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.760144949 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.792350054 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.792711973 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.792778015 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.795516968 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.795638084 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.800352097 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.800518036 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.802139997 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.804296970 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.804308891 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.804367065 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.804420948 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.806309938 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.811351061 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.880033970 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.882955074 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.891149044 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.891222000 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.891233921 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.891297102 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.892643929 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.892708063 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.894000053 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.894474030 CET49677443192.168.2.920.189.173.11
                                  Jan 14, 2025 20:57:07.894714117 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.899669886 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.899682045 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.899693012 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.899703979 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:07.899743080 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.902093887 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:07.948395014 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169774055 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169791937 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169801950 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169902086 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169900894 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.169914961 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169926882 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.169960976 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.169989109 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.170779943 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.170842886 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.173811913 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.174612045 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.174722910 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.174846888 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.175539017 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.178615093 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.179697990 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.179708004 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.179718018 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.182493925 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.282361031 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.285296917 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.290060043 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.292382002 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.292393923 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.292450905 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.293072939 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.293085098 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.293143988 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:08.380614042 CET4434970613.107.246.45192.168.2.9
                                  Jan 14, 2025 20:57:08.425720930 CET49706443192.168.2.913.107.246.45
                                  Jan 14, 2025 20:57:09.097701073 CET49673443192.168.2.9204.79.197.203
                                  Jan 14, 2025 20:57:11.930736065 CET49707445192.168.2.9146.143.226.222
                                  Jan 14, 2025 20:57:11.935754061 CET44549707146.143.226.222192.168.2.9
                                  Jan 14, 2025 20:57:11.935832024 CET49707445192.168.2.9146.143.226.222
                                  Jan 14, 2025 20:57:11.941298008 CET49707445192.168.2.9146.143.226.222
                                  Jan 14, 2025 20:57:11.946139097 CET44549707146.143.226.222192.168.2.9
                                  Jan 14, 2025 20:57:11.946202993 CET49707445192.168.2.9146.143.226.222
                                  Jan 14, 2025 20:57:11.951658010 CET49708445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.956501007 CET44549708146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:11.956563950 CET49708445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.956736088 CET49708445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.961518049 CET44549708146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:11.961565971 CET49708445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.962035894 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.966922998 CET44549709146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:11.966988087 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.967088938 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:11.971822977 CET44549709146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:13.895838022 CET49732445192.168.2.9184.49.177.144
                                  Jan 14, 2025 20:57:13.900763035 CET44549732184.49.177.144192.168.2.9
                                  Jan 14, 2025 20:57:13.900825024 CET49732445192.168.2.9184.49.177.144
                                  Jan 14, 2025 20:57:13.900861025 CET49732445192.168.2.9184.49.177.144
                                  Jan 14, 2025 20:57:13.901038885 CET49733445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.905832052 CET44549733184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:13.905847073 CET44549732184.49.177.144192.168.2.9
                                  Jan 14, 2025 20:57:13.905908108 CET49732445192.168.2.9184.49.177.144
                                  Jan 14, 2025 20:57:13.905921936 CET49733445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.906001091 CET49733445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.907243013 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.910841942 CET44549733184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:13.910900116 CET49733445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.912040949 CET44549734184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:13.912101030 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.912184000 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:13.916960955 CET44549734184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:14.863281012 CET49675443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:14.863388062 CET49676443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:15.082077980 CET49674443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:15.911997080 CET49755445192.168.2.991.124.228.130
                                  Jan 14, 2025 20:57:15.916832924 CET4454975591.124.228.130192.168.2.9
                                  Jan 14, 2025 20:57:15.916971922 CET49755445192.168.2.991.124.228.130
                                  Jan 14, 2025 20:57:15.916971922 CET49755445192.168.2.991.124.228.130
                                  Jan 14, 2025 20:57:15.917284012 CET49756445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.922027111 CET4454975691.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:15.922038078 CET4454975591.124.228.130192.168.2.9
                                  Jan 14, 2025 20:57:15.922111988 CET49756445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.922146082 CET49756445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.922254086 CET49755445192.168.2.991.124.228.130
                                  Jan 14, 2025 20:57:15.923285961 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.927058935 CET4454975691.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:15.927114964 CET49756445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.928091049 CET4454975791.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:15.928159952 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.928241968 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:15.932935953 CET4454975791.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:16.795799971 CET4434970423.206.229.209192.168.2.9
                                  Jan 14, 2025 20:57:16.796124935 CET49704443192.168.2.923.206.229.209
                                  Jan 14, 2025 20:57:17.503911018 CET49677443192.168.2.920.189.173.11
                                  Jan 14, 2025 20:57:17.927499056 CET49778445192.168.2.9221.249.132.66
                                  Jan 14, 2025 20:57:17.932347059 CET44549778221.249.132.66192.168.2.9
                                  Jan 14, 2025 20:57:17.932441950 CET49778445192.168.2.9221.249.132.66
                                  Jan 14, 2025 20:57:17.932506084 CET49778445192.168.2.9221.249.132.66
                                  Jan 14, 2025 20:57:17.932780981 CET49779445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.937591076 CET44549779221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:17.937601089 CET44549778221.249.132.66192.168.2.9
                                  Jan 14, 2025 20:57:17.937680960 CET49778445192.168.2.9221.249.132.66
                                  Jan 14, 2025 20:57:17.937680960 CET49779445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.937736988 CET49779445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.939008951 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.942754030 CET44549779221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:17.942827940 CET49779445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.943797112 CET44549780221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:17.943859100 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.943923950 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:17.948659897 CET44549780221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:19.942852974 CET49803445192.168.2.918.4.104.71
                                  Jan 14, 2025 20:57:19.947696924 CET4454980318.4.104.71192.168.2.9
                                  Jan 14, 2025 20:57:19.947768927 CET49803445192.168.2.918.4.104.71
                                  Jan 14, 2025 20:57:19.947815895 CET49803445192.168.2.918.4.104.71
                                  Jan 14, 2025 20:57:19.948040962 CET49804445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.952769041 CET4454980318.4.104.71192.168.2.9
                                  Jan 14, 2025 20:57:19.952822924 CET4454980418.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:19.952840090 CET49803445192.168.2.918.4.104.71
                                  Jan 14, 2025 20:57:19.952877998 CET49804445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.952966928 CET49804445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.953953981 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.957793951 CET4454980418.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:19.957849026 CET49804445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.958770990 CET4454980518.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:19.958832026 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.958976030 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:19.963712931 CET4454980518.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:21.958640099 CET49828445192.168.2.9108.154.178.174
                                  Jan 14, 2025 20:57:21.965290070 CET44549828108.154.178.174192.168.2.9
                                  Jan 14, 2025 20:57:21.965383053 CET49828445192.168.2.9108.154.178.174
                                  Jan 14, 2025 20:57:21.965413094 CET49828445192.168.2.9108.154.178.174
                                  Jan 14, 2025 20:57:21.965590954 CET49829445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.970786095 CET44549829108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:21.970797062 CET44549828108.154.178.174192.168.2.9
                                  Jan 14, 2025 20:57:21.970850945 CET49828445192.168.2.9108.154.178.174
                                  Jan 14, 2025 20:57:21.970864058 CET49829445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.970900059 CET49829445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.971890926 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.975886106 CET44549829108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:21.975955009 CET49829445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.976715088 CET44549830108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:21.976767063 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.976811886 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:21.981581926 CET44549830108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:23.973274946 CET49852445192.168.2.980.248.194.24
                                  Jan 14, 2025 20:57:23.978100061 CET4454985280.248.194.24192.168.2.9
                                  Jan 14, 2025 20:57:23.978203058 CET49852445192.168.2.980.248.194.24
                                  Jan 14, 2025 20:57:23.978239059 CET49852445192.168.2.980.248.194.24
                                  Jan 14, 2025 20:57:23.978365898 CET49853445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.983095884 CET4454985380.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:23.983206034 CET49853445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.983238935 CET4454985280.248.194.24192.168.2.9
                                  Jan 14, 2025 20:57:23.983354092 CET49852445192.168.2.980.248.194.24
                                  Jan 14, 2025 20:57:23.983537912 CET49853445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.984088898 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.988420010 CET4454985380.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:23.988457918 CET49853445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.988904953 CET4454985480.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:23.988964081 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.989027023 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:23.993793011 CET4454985480.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:25.990319014 CET49878445192.168.2.9162.2.173.54
                                  Jan 14, 2025 20:57:25.995106936 CET44549878162.2.173.54192.168.2.9
                                  Jan 14, 2025 20:57:25.995168924 CET49878445192.168.2.9162.2.173.54
                                  Jan 14, 2025 20:57:25.995443106 CET49878445192.168.2.9162.2.173.54
                                  Jan 14, 2025 20:57:25.995618105 CET49879445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.000262022 CET44549878162.2.173.54192.168.2.9
                                  Jan 14, 2025 20:57:26.000304937 CET49878445192.168.2.9162.2.173.54
                                  Jan 14, 2025 20:57:26.000379086 CET44549879162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:26.000432014 CET49879445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.000466108 CET49879445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.001099110 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.005791903 CET44549879162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:26.005841970 CET49879445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.005882025 CET44549880162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:26.005940914 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.005994081 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:26.010751009 CET44549880162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:28.004497051 CET49902445192.168.2.9149.96.103.34
                                  Jan 14, 2025 20:57:28.009318113 CET44549902149.96.103.34192.168.2.9
                                  Jan 14, 2025 20:57:28.012089968 CET49902445192.168.2.9149.96.103.34
                                  Jan 14, 2025 20:57:28.012089968 CET49902445192.168.2.9149.96.103.34
                                  Jan 14, 2025 20:57:28.012284040 CET49903445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.017069101 CET44549902149.96.103.34192.168.2.9
                                  Jan 14, 2025 20:57:28.017079115 CET44549903149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:28.017128944 CET49902445192.168.2.9149.96.103.34
                                  Jan 14, 2025 20:57:28.017155886 CET49903445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.017277002 CET49903445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.017656088 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.023206949 CET44549903149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:28.023242950 CET44549904149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:28.023304939 CET49903445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.023338079 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.023422003 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:28.030533075 CET44549904149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:30.023905039 CET49925445192.168.2.994.116.139.177
                                  Jan 14, 2025 20:57:30.028697968 CET4454992594.116.139.177192.168.2.9
                                  Jan 14, 2025 20:57:30.028789997 CET49925445192.168.2.994.116.139.177
                                  Jan 14, 2025 20:57:30.032641888 CET49925445192.168.2.994.116.139.177
                                  Jan 14, 2025 20:57:30.032829046 CET49926445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.037530899 CET4454992594.116.139.177192.168.2.9
                                  Jan 14, 2025 20:57:30.037601948 CET49925445192.168.2.994.116.139.177
                                  Jan 14, 2025 20:57:30.037652016 CET4454992694.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:30.037710905 CET49926445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.041415930 CET49926445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.045726061 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.046195030 CET4454992694.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:30.046269894 CET49926445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.050581932 CET4454992794.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:30.050661087 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.050708055 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:30.055522919 CET4454992794.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:32.035670042 CET49949445192.168.2.9159.220.151.248
                                  Jan 14, 2025 20:57:32.040661097 CET44549949159.220.151.248192.168.2.9
                                  Jan 14, 2025 20:57:32.040766954 CET49949445192.168.2.9159.220.151.248
                                  Jan 14, 2025 20:57:32.040810108 CET49949445192.168.2.9159.220.151.248
                                  Jan 14, 2025 20:57:32.040961981 CET49950445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.045891047 CET44549950159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:32.045984030 CET49950445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.046011925 CET49950445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.046123981 CET44549949159.220.151.248192.168.2.9
                                  Jan 14, 2025 20:57:32.046173096 CET49949445192.168.2.9159.220.151.248
                                  Jan 14, 2025 20:57:32.046314001 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.051050901 CET44549950159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:32.051125050 CET49950445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.051153898 CET44549951159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:32.051219940 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.051263094 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:32.055975914 CET44549951159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:33.341722965 CET44549709146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:33.341785908 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:33.341856956 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:33.341973066 CET49709445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:33.346657991 CET44549709146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:33.346784115 CET44549709146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:34.051301956 CET49972445192.168.2.9190.48.125.196
                                  Jan 14, 2025 20:57:34.056090117 CET44549972190.48.125.196192.168.2.9
                                  Jan 14, 2025 20:57:34.056200981 CET49972445192.168.2.9190.48.125.196
                                  Jan 14, 2025 20:57:34.056272030 CET49972445192.168.2.9190.48.125.196
                                  Jan 14, 2025 20:57:34.056374073 CET49973445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.061455011 CET44549973190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:34.061543941 CET49973445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.061566114 CET49973445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.061898947 CET44549972190.48.125.196192.168.2.9
                                  Jan 14, 2025 20:57:34.061945915 CET49972445192.168.2.9190.48.125.196
                                  Jan 14, 2025 20:57:34.062009096 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.066555977 CET44549973190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:34.066618919 CET49973445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.066834927 CET44549974190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:34.066924095 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.066924095 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:34.071729898 CET44549974190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:35.282574892 CET44549734184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:35.282717943 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:35.282845974 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:35.282937050 CET49734445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:35.289021969 CET44549734184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:35.289032936 CET44549734184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:36.091819048 CET49994445192.168.2.9208.237.91.110
                                  Jan 14, 2025 20:57:36.096668005 CET44549994208.237.91.110192.168.2.9
                                  Jan 14, 2025 20:57:36.096749067 CET49994445192.168.2.9208.237.91.110
                                  Jan 14, 2025 20:57:36.103653908 CET49994445192.168.2.9208.237.91.110
                                  Jan 14, 2025 20:57:36.103877068 CET49996445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.109183073 CET44549994208.237.91.110192.168.2.9
                                  Jan 14, 2025 20:57:36.109297037 CET49994445192.168.2.9208.237.91.110
                                  Jan 14, 2025 20:57:36.109312057 CET44549996208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:36.109375000 CET49996445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.110093117 CET49996445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.110418081 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.115056992 CET44549996208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:36.115149021 CET49996445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.115627050 CET44549997208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:36.115691900 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.115745068 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:36.120464087 CET44549997208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:36.352381945 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:36.357266903 CET44550002146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:36.357362986 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:36.358612061 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:36.363380909 CET44550002146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:37.296823978 CET4454975791.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:37.296973944 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:37.297051907 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:37.297128916 CET49757445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:37.302041054 CET4454975791.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:37.302054882 CET4454975791.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:38.098301888 CET50006445192.168.2.9120.203.108.174
                                  Jan 14, 2025 20:57:38.103236914 CET44550006120.203.108.174192.168.2.9
                                  Jan 14, 2025 20:57:38.106915951 CET50006445192.168.2.9120.203.108.174
                                  Jan 14, 2025 20:57:38.107004881 CET50006445192.168.2.9120.203.108.174
                                  Jan 14, 2025 20:57:38.107208967 CET50007445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.112099886 CET44550006120.203.108.174192.168.2.9
                                  Jan 14, 2025 20:57:38.112121105 CET44550007120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:38.112198114 CET50006445192.168.2.9120.203.108.174
                                  Jan 14, 2025 20:57:38.112229109 CET50007445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.112338066 CET50007445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.112612009 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.117319107 CET44550007120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:38.117413998 CET44550008120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:38.117480040 CET50007445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.117510080 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.124672890 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:38.129524946 CET44550008120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:38.285643101 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:38.290555000 CET44550009184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:38.290636063 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:38.290690899 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:38.295511007 CET44550009184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:39.344012022 CET44549780221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:39.344145060 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:39.344501019 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:39.344583035 CET49780445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:39.349286079 CET44549780221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:39.349397898 CET44549780221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:40.113825083 CET50010445192.168.2.993.252.137.40
                                  Jan 14, 2025 20:57:40.118653059 CET4455001093.252.137.40192.168.2.9
                                  Jan 14, 2025 20:57:40.118747950 CET50010445192.168.2.993.252.137.40
                                  Jan 14, 2025 20:57:40.118803978 CET50010445192.168.2.993.252.137.40
                                  Jan 14, 2025 20:57:40.119028091 CET50011445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.123723984 CET4455001093.252.137.40192.168.2.9
                                  Jan 14, 2025 20:57:40.123738050 CET4455001193.252.137.1192.168.2.9
                                  Jan 14, 2025 20:57:40.123789072 CET50010445192.168.2.993.252.137.40
                                  Jan 14, 2025 20:57:40.123840094 CET50011445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.123920918 CET50011445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.124162912 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.128740072 CET4455001193.252.137.1192.168.2.9
                                  Jan 14, 2025 20:57:40.128803015 CET50011445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.128992081 CET4455001293.252.137.1192.168.2.9
                                  Jan 14, 2025 20:57:40.129049063 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.129091024 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:57:40.133867025 CET4455001293.252.137.1192.168.2.9
                                  Jan 14, 2025 20:57:40.301126957 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:40.313309908 CET4455001391.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:40.313381910 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:40.313431025 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:57:40.318198919 CET4455001391.124.228.1192.168.2.9
                                  Jan 14, 2025 20:57:41.341454029 CET4454980518.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:41.344137907 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:41.344203949 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:41.344290972 CET49805445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:41.348989010 CET4454980518.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:41.349075079 CET4454980518.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:42.133136988 CET50014445192.168.2.9192.251.179.242
                                  Jan 14, 2025 20:57:42.138047934 CET44550014192.251.179.242192.168.2.9
                                  Jan 14, 2025 20:57:42.138134003 CET50014445192.168.2.9192.251.179.242
                                  Jan 14, 2025 20:57:42.138227940 CET50014445192.168.2.9192.251.179.242
                                  Jan 14, 2025 20:57:42.138418913 CET50015445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.143240929 CET44550014192.251.179.242192.168.2.9
                                  Jan 14, 2025 20:57:42.143254042 CET44550015192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:57:42.143285990 CET50014445192.168.2.9192.251.179.242
                                  Jan 14, 2025 20:57:42.143332005 CET50015445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.143384933 CET50015445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.143723011 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.148190975 CET44550015192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:57:42.148315907 CET44550015192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:57:42.148353100 CET50015445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.148448944 CET44550016192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:57:42.148500919 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.148530006 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:57:42.153264999 CET44550016192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:57:42.348087072 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:42.352907896 CET44550017221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:42.352991104 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:42.353032112 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:57:42.358449936 CET44550017221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:57:43.324960947 CET44549830108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:43.325094938 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:43.327265978 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:43.327392101 CET49830445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:43.332000017 CET44549830108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:43.332155943 CET44549830108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:44.145226955 CET50018445192.168.2.946.72.240.188
                                  Jan 14, 2025 20:57:44.150212049 CET4455001846.72.240.188192.168.2.9
                                  Jan 14, 2025 20:57:44.150332928 CET50018445192.168.2.946.72.240.188
                                  Jan 14, 2025 20:57:44.150377035 CET50018445192.168.2.946.72.240.188
                                  Jan 14, 2025 20:57:44.150643110 CET50019445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.155381918 CET4455001846.72.240.188192.168.2.9
                                  Jan 14, 2025 20:57:44.155452013 CET50018445192.168.2.946.72.240.188
                                  Jan 14, 2025 20:57:44.155459881 CET4455001946.72.240.1192.168.2.9
                                  Jan 14, 2025 20:57:44.155549049 CET50019445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.155575037 CET50019445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.155906916 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.160487890 CET4455001946.72.240.1192.168.2.9
                                  Jan 14, 2025 20:57:44.160553932 CET50019445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.160737991 CET4455002046.72.240.1192.168.2.9
                                  Jan 14, 2025 20:57:44.160798073 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.160844088 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:57:44.165657997 CET4455002046.72.240.1192.168.2.9
                                  Jan 14, 2025 20:57:44.349647999 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:44.354535103 CET4455002118.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:44.356123924 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:44.358445883 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:57:44.363238096 CET4455002118.4.104.1192.168.2.9
                                  Jan 14, 2025 20:57:45.355385065 CET4454985480.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:45.355508089 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:45.355568886 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:45.355621099 CET49854445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:45.360375881 CET4454985480.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:45.360413074 CET4454985480.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:46.160782099 CET50022445192.168.2.9220.92.122.150
                                  Jan 14, 2025 20:57:46.165745974 CET44550022220.92.122.150192.168.2.9
                                  Jan 14, 2025 20:57:46.165883064 CET50022445192.168.2.9220.92.122.150
                                  Jan 14, 2025 20:57:46.165910006 CET50022445192.168.2.9220.92.122.150
                                  Jan 14, 2025 20:57:46.166038036 CET50023445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.170806885 CET44550023220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:57:46.170890093 CET50023445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.170945883 CET44550022220.92.122.150192.168.2.9
                                  Jan 14, 2025 20:57:46.170969009 CET50023445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.170998096 CET50022445192.168.2.9220.92.122.150
                                  Jan 14, 2025 20:57:46.171241999 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.175995111 CET44550023220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:57:46.176078081 CET50023445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.176091909 CET44550024220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:57:46.176156044 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.176189899 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:57:46.181102037 CET44550024220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:57:46.332540989 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:46.337646961 CET44550025108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:46.337709904 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:46.337754965 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:57:46.342545986 CET44550025108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:57:47.403075933 CET44549880162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:47.403357029 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:47.403412104 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:47.403412104 CET49880445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:47.408221006 CET44549880162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:47.408231020 CET44549880162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:48.035729885 CET50026445192.168.2.995.189.127.137
                                  Jan 14, 2025 20:57:48.040709972 CET4455002695.189.127.137192.168.2.9
                                  Jan 14, 2025 20:57:48.040818930 CET50026445192.168.2.995.189.127.137
                                  Jan 14, 2025 20:57:48.040915012 CET50026445192.168.2.995.189.127.137
                                  Jan 14, 2025 20:57:48.041074038 CET50027445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.045938969 CET4455002795.189.127.1192.168.2.9
                                  Jan 14, 2025 20:57:48.046019077 CET50027445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.046029091 CET50027445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.046030998 CET4455002695.189.127.137192.168.2.9
                                  Jan 14, 2025 20:57:48.046081066 CET50026445192.168.2.995.189.127.137
                                  Jan 14, 2025 20:57:48.046361923 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.051522017 CET4455002795.189.127.1192.168.2.9
                                  Jan 14, 2025 20:57:48.051578045 CET50027445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.051680088 CET4455002895.189.127.1192.168.2.9
                                  Jan 14, 2025 20:57:48.051742077 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.051764011 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:57:48.056510925 CET4455002895.189.127.1192.168.2.9
                                  Jan 14, 2025 20:57:48.363622904 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:48.368786097 CET4455002980.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:48.368940115 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:48.368977070 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:57:48.373871088 CET4455002980.248.194.1192.168.2.9
                                  Jan 14, 2025 20:57:49.418793917 CET44549904149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:49.418901920 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:49.418901920 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:49.418946028 CET49904445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:49.423738956 CET44549904149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:49.423749924 CET44549904149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:49.828438044 CET50030445192.168.2.933.222.99.200
                                  Jan 14, 2025 20:57:49.833447933 CET4455003033.222.99.200192.168.2.9
                                  Jan 14, 2025 20:57:49.833519936 CET50030445192.168.2.933.222.99.200
                                  Jan 14, 2025 20:57:49.836982965 CET50030445192.168.2.933.222.99.200
                                  Jan 14, 2025 20:57:49.837163925 CET50031445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.841911077 CET4455003033.222.99.200192.168.2.9
                                  Jan 14, 2025 20:57:49.841969967 CET50030445192.168.2.933.222.99.200
                                  Jan 14, 2025 20:57:49.842010975 CET4455003133.222.99.1192.168.2.9
                                  Jan 14, 2025 20:57:49.842071056 CET50031445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.845669031 CET50031445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.846215963 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.850522041 CET4455003133.222.99.1192.168.2.9
                                  Jan 14, 2025 20:57:49.850586891 CET50031445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.850996017 CET4455003233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:57:49.851233959 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.851233959 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:57:49.856019020 CET4455003233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:57:50.410510063 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:50.415446997 CET44550033162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:50.415564060 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:50.415604115 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:57:50.420627117 CET44550033162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:57:51.421330929 CET4454992794.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:51.421394110 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:51.421423912 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:51.421499014 CET49927445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:51.427669048 CET4454992794.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:51.427680969 CET4454992794.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:51.457853079 CET50034445192.168.2.980.89.4.37
                                  Jan 14, 2025 20:57:51.463018894 CET4455003480.89.4.37192.168.2.9
                                  Jan 14, 2025 20:57:51.463087082 CET50034445192.168.2.980.89.4.37
                                  Jan 14, 2025 20:57:51.463119030 CET50034445192.168.2.980.89.4.37
                                  Jan 14, 2025 20:57:51.463283062 CET50035445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.468755960 CET4455003580.89.4.1192.168.2.9
                                  Jan 14, 2025 20:57:51.468769073 CET4455003480.89.4.37192.168.2.9
                                  Jan 14, 2025 20:57:51.468811989 CET50035445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.468847990 CET50034445192.168.2.980.89.4.37
                                  Jan 14, 2025 20:57:51.468947887 CET50035445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.469314098 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.473789930 CET4455003580.89.4.1192.168.2.9
                                  Jan 14, 2025 20:57:51.473833084 CET50035445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.474149942 CET4455003680.89.4.1192.168.2.9
                                  Jan 14, 2025 20:57:51.474226952 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.474226952 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:57:51.478991032 CET4455003680.89.4.1192.168.2.9
                                  Jan 14, 2025 20:57:52.426377058 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:52.431417942 CET44550037149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:52.431514025 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:52.431575060 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:57:52.436456919 CET44550037149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:57:53.029757023 CET50038445192.168.2.978.131.168.103
                                  Jan 14, 2025 20:57:53.034601927 CET4455003878.131.168.103192.168.2.9
                                  Jan 14, 2025 20:57:53.034770966 CET50038445192.168.2.978.131.168.103
                                  Jan 14, 2025 20:57:53.034770966 CET50038445192.168.2.978.131.168.103
                                  Jan 14, 2025 20:57:53.034925938 CET50039445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.039691925 CET4455003978.131.168.1192.168.2.9
                                  Jan 14, 2025 20:57:53.039740086 CET50039445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.039777994 CET4455003878.131.168.103192.168.2.9
                                  Jan 14, 2025 20:57:53.039794922 CET50039445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.039899111 CET50038445192.168.2.978.131.168.103
                                  Jan 14, 2025 20:57:53.040771008 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.044737101 CET4455003978.131.168.1192.168.2.9
                                  Jan 14, 2025 20:57:53.044778109 CET50039445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.045557976 CET4455004078.131.168.1192.168.2.9
                                  Jan 14, 2025 20:57:53.045622110 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.045732975 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:57:53.050457954 CET4455004078.131.168.1192.168.2.9
                                  Jan 14, 2025 20:57:53.433739901 CET44549951159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:53.433804035 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:53.433844090 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:53.433890104 CET49951445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:53.438787937 CET44549951159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:53.438800097 CET44549951159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:54.426323891 CET50041445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:54.431103945 CET4455004194.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:54.431212902 CET50041445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:54.431277990 CET50041445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:57:54.436068058 CET4455004194.116.139.1192.168.2.9
                                  Jan 14, 2025 20:57:54.457809925 CET50042445192.168.2.9195.72.16.150
                                  Jan 14, 2025 20:57:54.462745905 CET44550042195.72.16.150192.168.2.9
                                  Jan 14, 2025 20:57:54.462869883 CET50042445192.168.2.9195.72.16.150
                                  Jan 14, 2025 20:57:54.462980986 CET50042445192.168.2.9195.72.16.150
                                  Jan 14, 2025 20:57:54.463129044 CET50043445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.467931032 CET44550043195.72.16.1192.168.2.9
                                  Jan 14, 2025 20:57:54.467947006 CET44550042195.72.16.150192.168.2.9
                                  Jan 14, 2025 20:57:54.468029976 CET50042445192.168.2.9195.72.16.150
                                  Jan 14, 2025 20:57:54.468058109 CET50043445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.468091011 CET50043445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.468415976 CET50044445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.473067045 CET44550043195.72.16.1192.168.2.9
                                  Jan 14, 2025 20:57:54.473121881 CET50043445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.473268986 CET44550044195.72.16.1192.168.2.9
                                  Jan 14, 2025 20:57:54.473324060 CET50044445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.473356009 CET50044445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:57:54.478184938 CET44550044195.72.16.1192.168.2.9
                                  Jan 14, 2025 20:57:55.465078115 CET44549974190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:55.465167999 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:55.465221882 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:55.465245008 CET49974445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:55.470072985 CET44549974190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:55.470083952 CET44549974190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:55.785904884 CET50045445192.168.2.925.105.230.110
                                  Jan 14, 2025 20:57:55.790805101 CET4455004525.105.230.110192.168.2.9
                                  Jan 14, 2025 20:57:55.790911913 CET50045445192.168.2.925.105.230.110
                                  Jan 14, 2025 20:57:55.790973902 CET50045445192.168.2.925.105.230.110
                                  Jan 14, 2025 20:57:55.791213989 CET50046445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.796144962 CET4455004625.105.230.1192.168.2.9
                                  Jan 14, 2025 20:57:55.796211004 CET4455004525.105.230.110192.168.2.9
                                  Jan 14, 2025 20:57:55.796250105 CET50046445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.796277046 CET50046445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.796681881 CET50047445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.798114061 CET4455004525.105.230.110192.168.2.9
                                  Jan 14, 2025 20:57:55.798175097 CET50045445192.168.2.925.105.230.110
                                  Jan 14, 2025 20:57:55.801218987 CET4455004625.105.230.1192.168.2.9
                                  Jan 14, 2025 20:57:55.801270962 CET50046445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.801511049 CET4455004725.105.230.1192.168.2.9
                                  Jan 14, 2025 20:57:55.801565886 CET50047445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.801613092 CET50047445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:57:55.806380987 CET4455004725.105.230.1192.168.2.9
                                  Jan 14, 2025 20:57:56.441822052 CET50048445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:56.446691990 CET44550048159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:56.446875095 CET50048445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:56.446890116 CET50048445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:57:56.451792955 CET44550048159.220.151.1192.168.2.9
                                  Jan 14, 2025 20:57:57.035739899 CET50049445192.168.2.960.253.217.33
                                  Jan 14, 2025 20:57:57.040533066 CET4455004960.253.217.33192.168.2.9
                                  Jan 14, 2025 20:57:57.040625095 CET50049445192.168.2.960.253.217.33
                                  Jan 14, 2025 20:57:57.040709019 CET50049445192.168.2.960.253.217.33
                                  Jan 14, 2025 20:57:57.040893078 CET50050445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.045665979 CET4455004960.253.217.33192.168.2.9
                                  Jan 14, 2025 20:57:57.045727015 CET4455005060.253.217.1192.168.2.9
                                  Jan 14, 2025 20:57:57.045749903 CET50049445192.168.2.960.253.217.33
                                  Jan 14, 2025 20:57:57.045797110 CET50050445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.045871019 CET50050445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.046168089 CET50051445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.050731897 CET4455005060.253.217.1192.168.2.9
                                  Jan 14, 2025 20:57:57.050782919 CET50050445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.051002026 CET4455005160.253.217.1192.168.2.9
                                  Jan 14, 2025 20:57:57.051054001 CET50051445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.051086903 CET50051445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:57:57.055805922 CET4455005160.253.217.1192.168.2.9
                                  Jan 14, 2025 20:57:57.465194941 CET44549997208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:57.465336084 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:57.465440035 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:57.465491056 CET49997445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:57:57.470165968 CET44549997208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:57.470221043 CET44549997208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:57:57.519845963 CET4970580192.168.2.92.16.168.117
                                  Jan 14, 2025 20:57:57.524887085 CET80497052.16.168.117192.168.2.9
                                  Jan 14, 2025 20:57:57.524975061 CET4970580192.168.2.92.16.168.117
                                  Jan 14, 2025 20:57:57.745716095 CET44550002146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:57.745831966 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:57.745883942 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:57.745935917 CET50002445192.168.2.9146.143.226.1
                                  Jan 14, 2025 20:57:57.750711918 CET44550002146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:57.750722885 CET44550002146.143.226.1192.168.2.9
                                  Jan 14, 2025 20:57:57.801572084 CET50052445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.806395054 CET44550052146.143.226.2192.168.2.9
                                  Jan 14, 2025 20:57:57.806476116 CET50052445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.810391903 CET50052445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.811336994 CET50053445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.815216064 CET44550052146.143.226.2192.168.2.9
                                  Jan 14, 2025 20:57:57.815265894 CET50052445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.816124916 CET44550053146.143.226.2192.168.2.9
                                  Jan 14, 2025 20:57:57.816294909 CET50053445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.816317081 CET50053445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:57:57.821130037 CET44550053146.143.226.2192.168.2.9
                                  Jan 14, 2025 20:57:58.192033052 CET50054445192.168.2.924.85.146.168
                                  Jan 14, 2025 20:57:58.197292089 CET4455005424.85.146.168192.168.2.9
                                  Jan 14, 2025 20:57:58.197375059 CET50054445192.168.2.924.85.146.168
                                  Jan 14, 2025 20:57:58.197397947 CET50054445192.168.2.924.85.146.168
                                  Jan 14, 2025 20:57:58.197545052 CET50055445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.202361107 CET4455005524.85.146.1192.168.2.9
                                  Jan 14, 2025 20:57:58.202419043 CET50055445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.202600002 CET50055445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.202888012 CET50056445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.203668118 CET4455005424.85.146.168192.168.2.9
                                  Jan 14, 2025 20:57:58.203711987 CET50054445192.168.2.924.85.146.168
                                  Jan 14, 2025 20:57:58.207422972 CET4455005524.85.146.1192.168.2.9
                                  Jan 14, 2025 20:57:58.207468033 CET50055445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.207748890 CET4455005624.85.146.1192.168.2.9
                                  Jan 14, 2025 20:57:58.207802057 CET50056445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.207844973 CET50056445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:57:58.212632895 CET4455005624.85.146.1192.168.2.9
                                  Jan 14, 2025 20:57:58.473011971 CET50057445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:58.477855921 CET44550057190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:58.477967024 CET50057445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:58.478020906 CET50057445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:57:58.482778072 CET44550057190.48.125.1192.168.2.9
                                  Jan 14, 2025 20:57:59.270315886 CET50058445192.168.2.9125.7.143.169
                                  Jan 14, 2025 20:57:59.275194883 CET44550058125.7.143.169192.168.2.9
                                  Jan 14, 2025 20:57:59.275290012 CET50058445192.168.2.9125.7.143.169
                                  Jan 14, 2025 20:57:59.275367975 CET50058445192.168.2.9125.7.143.169
                                  Jan 14, 2025 20:57:59.275474072 CET50059445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.280282974 CET44550059125.7.143.1192.168.2.9
                                  Jan 14, 2025 20:57:59.280356884 CET50059445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.280385971 CET50059445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.280404091 CET44550058125.7.143.169192.168.2.9
                                  Jan 14, 2025 20:57:59.280456066 CET50058445192.168.2.9125.7.143.169
                                  Jan 14, 2025 20:57:59.280755043 CET50060445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.285329103 CET44550059125.7.143.1192.168.2.9
                                  Jan 14, 2025 20:57:59.285407066 CET50059445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.285526037 CET44550060125.7.143.1192.168.2.9
                                  Jan 14, 2025 20:57:59.285572052 CET50060445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.285752058 CET50060445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:57:59.290525913 CET44550060125.7.143.1192.168.2.9
                                  Jan 14, 2025 20:57:59.511575937 CET44550008120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:59.511682987 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:59.511730909 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:59.511770964 CET50008445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:57:59.516660929 CET44550008120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:59.516671896 CET44550008120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:57:59.653424978 CET44550009184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:59.653620958 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:59.653620958 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:59.653655052 CET50009445192.168.2.9184.49.177.1
                                  Jan 14, 2025 20:57:59.658458948 CET44550009184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:59.658477068 CET44550009184.49.177.1192.168.2.9
                                  Jan 14, 2025 20:57:59.707421064 CET50061445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.712302923 CET44550061184.49.177.2192.168.2.9
                                  Jan 14, 2025 20:57:59.712393045 CET50061445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.712450027 CET50061445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.712816000 CET50062445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.717653990 CET44550062184.49.177.2192.168.2.9
                                  Jan 14, 2025 20:57:59.717736006 CET50062445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.717756033 CET50062445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.718485117 CET44550061184.49.177.2192.168.2.9
                                  Jan 14, 2025 20:57:59.718549013 CET50061445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:57:59.722520113 CET44550062184.49.177.2192.168.2.9
                                  Jan 14, 2025 20:58:00.285856009 CET50063445192.168.2.9143.189.238.82
                                  Jan 14, 2025 20:58:00.290786028 CET44550063143.189.238.82192.168.2.9
                                  Jan 14, 2025 20:58:00.290882111 CET50063445192.168.2.9143.189.238.82
                                  Jan 14, 2025 20:58:00.290911913 CET50063445192.168.2.9143.189.238.82
                                  Jan 14, 2025 20:58:00.291115046 CET50064445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.295945883 CET44550064143.189.238.1192.168.2.9
                                  Jan 14, 2025 20:58:00.296057940 CET50064445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.296139956 CET50064445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.296147108 CET44550063143.189.238.82192.168.2.9
                                  Jan 14, 2025 20:58:00.296158075 CET44550063143.189.238.82192.168.2.9
                                  Jan 14, 2025 20:58:00.296202898 CET50063445192.168.2.9143.189.238.82
                                  Jan 14, 2025 20:58:00.296487093 CET50065445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.300981998 CET44550064143.189.238.1192.168.2.9
                                  Jan 14, 2025 20:58:00.301054001 CET50064445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.301276922 CET44550065143.189.238.1192.168.2.9
                                  Jan 14, 2025 20:58:00.301340103 CET50065445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.301378965 CET50065445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:00.306201935 CET44550065143.189.238.1192.168.2.9
                                  Jan 14, 2025 20:58:00.473150969 CET50066445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:58:00.478043079 CET44550066208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:58:00.478174925 CET50066445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:58:00.478224993 CET50066445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:58:00.482990980 CET44550066208.237.91.1192.168.2.9
                                  Jan 14, 2025 20:58:01.223699093 CET50067445192.168.2.9164.172.250.140
                                  Jan 14, 2025 20:58:01.228656054 CET44550067164.172.250.140192.168.2.9
                                  Jan 14, 2025 20:58:01.228748083 CET50067445192.168.2.9164.172.250.140
                                  Jan 14, 2025 20:58:01.228818893 CET50067445192.168.2.9164.172.250.140
                                  Jan 14, 2025 20:58:01.228974104 CET50068445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.233788013 CET44550067164.172.250.140192.168.2.9
                                  Jan 14, 2025 20:58:01.233802080 CET44550068164.172.250.1192.168.2.9
                                  Jan 14, 2025 20:58:01.233855963 CET50067445192.168.2.9164.172.250.140
                                  Jan 14, 2025 20:58:01.233887911 CET50068445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.233954906 CET50068445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.234200954 CET50069445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.238900900 CET44550068164.172.250.1192.168.2.9
                                  Jan 14, 2025 20:58:01.238969088 CET44550069164.172.250.1192.168.2.9
                                  Jan 14, 2025 20:58:01.238982916 CET50068445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.239058018 CET50069445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.239104033 CET50069445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:01.243952036 CET44550069164.172.250.1192.168.2.9
                                  Jan 14, 2025 20:58:01.480889082 CET4455001293.252.137.1192.168.2.9
                                  Jan 14, 2025 20:58:01.480976105 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:01.481029987 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:01.481085062 CET50012445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:01.485901117 CET4455001293.252.137.1192.168.2.9
                                  Jan 14, 2025 20:58:01.485918045 CET4455001293.252.137.1192.168.2.9
                                  Jan 14, 2025 20:58:01.703413963 CET4455001391.124.228.1192.168.2.9
                                  Jan 14, 2025 20:58:01.703473091 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:58:01.703542948 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:58:01.703614950 CET50013445192.168.2.991.124.228.1
                                  Jan 14, 2025 20:58:01.709532976 CET4455001391.124.228.1192.168.2.9
                                  Jan 14, 2025 20:58:01.709646940 CET4455001391.124.228.1192.168.2.9
                                  Jan 14, 2025 20:58:01.774322033 CET50070445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.779292107 CET4455007091.124.228.2192.168.2.9
                                  Jan 14, 2025 20:58:01.779397011 CET50070445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.779491901 CET50070445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.784507990 CET4455007091.124.228.2192.168.2.9
                                  Jan 14, 2025 20:58:01.784576893 CET50070445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.789535999 CET50071445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.794392109 CET4455007191.124.228.2192.168.2.9
                                  Jan 14, 2025 20:58:01.794467926 CET50071445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.794521093 CET50071445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:01.799390078 CET4455007191.124.228.2192.168.2.9
                                  Jan 14, 2025 20:58:02.098479033 CET50072445192.168.2.9216.145.81.9
                                  Jan 14, 2025 20:58:02.103584051 CET44550072216.145.81.9192.168.2.9
                                  Jan 14, 2025 20:58:02.103691101 CET50072445192.168.2.9216.145.81.9
                                  Jan 14, 2025 20:58:02.105031013 CET50072445192.168.2.9216.145.81.9
                                  Jan 14, 2025 20:58:02.105195045 CET50073445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.109822035 CET44550072216.145.81.9192.168.2.9
                                  Jan 14, 2025 20:58:02.109888077 CET50072445192.168.2.9216.145.81.9
                                  Jan 14, 2025 20:58:02.109950066 CET44550073216.145.81.1192.168.2.9
                                  Jan 14, 2025 20:58:02.110002041 CET50073445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.110080004 CET50073445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.110358953 CET50074445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.114988089 CET44550073216.145.81.1192.168.2.9
                                  Jan 14, 2025 20:58:02.115035057 CET50073445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.115083933 CET44550074216.145.81.1192.168.2.9
                                  Jan 14, 2025 20:58:02.115129948 CET50074445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.115166903 CET50074445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:02.119890928 CET44550074216.145.81.1192.168.2.9
                                  Jan 14, 2025 20:58:02.520013094 CET50075445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:58:02.524879932 CET44550075120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:58:02.524960041 CET50075445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:58:02.525023937 CET50075445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:58:02.529809952 CET44550075120.203.108.1192.168.2.9
                                  Jan 14, 2025 20:58:02.926481962 CET50076445192.168.2.918.144.38.146
                                  Jan 14, 2025 20:58:02.931354046 CET4455007618.144.38.146192.168.2.9
                                  Jan 14, 2025 20:58:02.931459904 CET50076445192.168.2.918.144.38.146
                                  Jan 14, 2025 20:58:02.931556940 CET50076445192.168.2.918.144.38.146
                                  Jan 14, 2025 20:58:02.931739092 CET50077445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.936532974 CET4455007718.144.38.1192.168.2.9
                                  Jan 14, 2025 20:58:02.936719894 CET50077445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.936836958 CET50077445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.937037945 CET4455007618.144.38.146192.168.2.9
                                  Jan 14, 2025 20:58:02.937084913 CET50076445192.168.2.918.144.38.146
                                  Jan 14, 2025 20:58:02.937241077 CET50078445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.942338943 CET4455007818.144.38.1192.168.2.9
                                  Jan 14, 2025 20:58:02.942408085 CET50078445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.942444086 CET50078445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.943991899 CET4455007718.144.38.1192.168.2.9
                                  Jan 14, 2025 20:58:02.944036961 CET50077445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:02.947238922 CET4455007818.144.38.1192.168.2.9
                                  Jan 14, 2025 20:58:03.527864933 CET44550016192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:58:03.527959108 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:03.528011084 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:03.528058052 CET50016445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:03.533051968 CET44550016192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:58:03.533067942 CET44550016192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:58:03.692039967 CET50080445192.168.2.9211.197.80.199
                                  Jan 14, 2025 20:58:03.696862936 CET44550080211.197.80.199192.168.2.9
                                  Jan 14, 2025 20:58:03.696995020 CET50080445192.168.2.9211.197.80.199
                                  Jan 14, 2025 20:58:03.697045088 CET50080445192.168.2.9211.197.80.199
                                  Jan 14, 2025 20:58:03.697278023 CET50081445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.702028036 CET44550081211.197.80.1192.168.2.9
                                  Jan 14, 2025 20:58:03.702110052 CET50081445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.702136993 CET50081445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.702269077 CET44550080211.197.80.199192.168.2.9
                                  Jan 14, 2025 20:58:03.702316046 CET50080445192.168.2.9211.197.80.199
                                  Jan 14, 2025 20:58:03.702429056 CET50082445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.707026005 CET44550081211.197.80.1192.168.2.9
                                  Jan 14, 2025 20:58:03.707103014 CET50081445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.707321882 CET44550082211.197.80.1192.168.2.9
                                  Jan 14, 2025 20:58:03.707384109 CET50082445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.707434893 CET50082445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:03.712224960 CET44550082211.197.80.1192.168.2.9
                                  Jan 14, 2025 20:58:03.732988119 CET44550017221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:58:03.733084917 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:58:03.733161926 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:58:03.733242989 CET50017445192.168.2.9221.249.132.1
                                  Jan 14, 2025 20:58:03.737905025 CET44550017221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:58:03.737979889 CET44550017221.249.132.1192.168.2.9
                                  Jan 14, 2025 20:58:03.785598040 CET50083445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.790525913 CET44550083221.249.132.2192.168.2.9
                                  Jan 14, 2025 20:58:03.790617943 CET50083445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.790685892 CET50083445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.791044950 CET50084445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.795694113 CET44550083221.249.132.2192.168.2.9
                                  Jan 14, 2025 20:58:03.795766115 CET50083445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.795831919 CET44550084221.249.132.2192.168.2.9
                                  Jan 14, 2025 20:58:03.795882940 CET50084445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.795917034 CET50084445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:03.800662041 CET44550084221.249.132.2192.168.2.9
                                  Jan 14, 2025 20:58:04.488648891 CET50086445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:04.493581057 CET4455008693.252.137.1192.168.2.9
                                  Jan 14, 2025 20:58:04.496155977 CET50086445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:04.496241093 CET50086445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:04.501028061 CET4455008693.252.137.1192.168.2.9
                                  Jan 14, 2025 20:58:05.531950951 CET4455002046.72.240.1192.168.2.9
                                  Jan 14, 2025 20:58:05.532001019 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:05.532057047 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:05.532116890 CET50020445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:05.536880970 CET4455002046.72.240.1192.168.2.9
                                  Jan 14, 2025 20:58:05.536891937 CET4455002046.72.240.1192.168.2.9
                                  Jan 14, 2025 20:58:05.702630997 CET4455002118.4.104.1192.168.2.9
                                  Jan 14, 2025 20:58:05.702775002 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:58:05.702827930 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:58:05.702893019 CET50021445192.168.2.918.4.104.1
                                  Jan 14, 2025 20:58:05.708945036 CET4455002118.4.104.1192.168.2.9
                                  Jan 14, 2025 20:58:05.708956957 CET4455002118.4.104.1192.168.2.9
                                  Jan 14, 2025 20:58:05.754429102 CET50090445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.760457993 CET4455009018.4.104.2192.168.2.9
                                  Jan 14, 2025 20:58:05.760588884 CET50090445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.761004925 CET50090445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.761010885 CET50091445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.767030954 CET4455009118.4.104.2192.168.2.9
                                  Jan 14, 2025 20:58:05.767127991 CET50091445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.767158985 CET50091445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.767183065 CET4455009018.4.104.2192.168.2.9
                                  Jan 14, 2025 20:58:05.767227888 CET50090445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:05.773118973 CET4455009118.4.104.2192.168.2.9
                                  Jan 14, 2025 20:58:06.535607100 CET50094445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:06.540525913 CET44550094192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:58:06.540611029 CET50094445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:06.540636063 CET50094445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:06.545399904 CET44550094192.251.179.1192.168.2.9
                                  Jan 14, 2025 20:58:07.559155941 CET44550024220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:58:07.559279919 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:07.559339046 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:07.559346914 CET50024445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:07.564273119 CET44550024220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:58:07.564291000 CET44550024220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:58:07.699120998 CET44550025108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:58:07.699232101 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:58:07.699322939 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:58:07.699413061 CET50025445192.168.2.9108.154.178.1
                                  Jan 14, 2025 20:58:07.704104900 CET44550025108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:58:07.704154015 CET44550025108.154.178.1192.168.2.9
                                  Jan 14, 2025 20:58:07.754597902 CET50102445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.759710073 CET44550102108.154.178.2192.168.2.9
                                  Jan 14, 2025 20:58:07.759922981 CET50102445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.759972095 CET50102445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.760631084 CET50103445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.764992952 CET44550102108.154.178.2192.168.2.9
                                  Jan 14, 2025 20:58:07.765095949 CET50102445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.765520096 CET44550103108.154.178.2192.168.2.9
                                  Jan 14, 2025 20:58:07.765608072 CET50103445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.765700102 CET50103445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:07.770582914 CET44550103108.154.178.2192.168.2.9
                                  Jan 14, 2025 20:58:08.535552979 CET50111445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:08.540528059 CET4455011146.72.240.1192.168.2.9
                                  Jan 14, 2025 20:58:08.540606022 CET50111445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:08.540652037 CET50111445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:08.545418978 CET4455011146.72.240.1192.168.2.9
                                  Jan 14, 2025 20:58:09.419102907 CET4455002895.189.127.1192.168.2.9
                                  Jan 14, 2025 20:58:09.419218063 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:09.419310093 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:09.419310093 CET50028445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:09.424098015 CET4455002895.189.127.1192.168.2.9
                                  Jan 14, 2025 20:58:09.424108982 CET4455002895.189.127.1192.168.2.9
                                  Jan 14, 2025 20:58:09.752444029 CET4455002980.248.194.1192.168.2.9
                                  Jan 14, 2025 20:58:09.752526045 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:58:09.752566099 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:58:09.752593994 CET50029445192.168.2.980.248.194.1
                                  Jan 14, 2025 20:58:09.757683039 CET4455002980.248.194.1192.168.2.9
                                  Jan 14, 2025 20:58:09.757694960 CET4455002980.248.194.1192.168.2.9
                                  Jan 14, 2025 20:58:09.816854954 CET50123445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.821700096 CET4455012380.248.194.2192.168.2.9
                                  Jan 14, 2025 20:58:09.821810961 CET50123445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.821825981 CET50123445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.822204113 CET50125445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.826986074 CET4455012580.248.194.2192.168.2.9
                                  Jan 14, 2025 20:58:09.826997995 CET4455012380.248.194.2192.168.2.9
                                  Jan 14, 2025 20:58:09.827081919 CET50123445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.827089071 CET50125445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:09.831851006 CET4455012580.248.194.2192.168.2.9
                                  Jan 14, 2025 20:58:10.566903114 CET50135445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:10.571844101 CET44550135220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:58:10.571937084 CET50135445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:10.571990967 CET50135445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:10.576740026 CET44550135220.92.122.1192.168.2.9
                                  Jan 14, 2025 20:58:11.217367887 CET4455003233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:58:11.217533112 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:11.217571974 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:11.217633009 CET50032445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:11.222662926 CET4455003233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:58:11.222707033 CET4455003233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:58:11.777937889 CET44550033162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:58:11.778075933 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:58:11.780529976 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:58:11.780625105 CET50033445192.168.2.9162.2.173.1
                                  Jan 14, 2025 20:58:11.785482883 CET44550033162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:58:11.785500050 CET44550033162.2.173.1192.168.2.9
                                  Jan 14, 2025 20:58:11.842478037 CET50159445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.847454071 CET44550159162.2.173.2192.168.2.9
                                  Jan 14, 2025 20:58:11.847531080 CET50159445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.851361990 CET50159445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.855695009 CET50160445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.856282949 CET44550159162.2.173.2192.168.2.9
                                  Jan 14, 2025 20:58:11.856352091 CET50159445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.860553026 CET44550160162.2.173.2192.168.2.9
                                  Jan 14, 2025 20:58:11.860644102 CET50160445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.864459991 CET50160445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:11.869306087 CET44550160162.2.173.2192.168.2.9
                                  Jan 14, 2025 20:58:12.426151037 CET50174445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:12.431191921 CET4455017495.189.127.1192.168.2.9
                                  Jan 14, 2025 20:58:12.431319952 CET50174445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:12.431333065 CET50174445192.168.2.995.189.127.1
                                  Jan 14, 2025 20:58:12.436121941 CET4455017495.189.127.1192.168.2.9
                                  Jan 14, 2025 20:58:12.841921091 CET4455003680.89.4.1192.168.2.9
                                  Jan 14, 2025 20:58:12.841999054 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:58:12.842048883 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:58:12.842133999 CET50036445192.168.2.980.89.4.1
                                  Jan 14, 2025 20:58:12.846899033 CET4455003680.89.4.1192.168.2.9
                                  Jan 14, 2025 20:58:12.846909046 CET4455003680.89.4.1192.168.2.9
                                  Jan 14, 2025 20:58:13.795655012 CET44550037149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:58:13.795766115 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:58:13.795826912 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:58:13.795875072 CET50037445192.168.2.9149.96.103.1
                                  Jan 14, 2025 20:58:13.800693035 CET44550037149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:58:13.800709963 CET44550037149.96.103.1192.168.2.9
                                  Jan 14, 2025 20:58:13.848162889 CET50214445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.853354931 CET44550214149.96.103.2192.168.2.9
                                  Jan 14, 2025 20:58:13.853467941 CET50214445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.853506088 CET50214445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.853986979 CET50215445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.858552933 CET44550214149.96.103.2192.168.2.9
                                  Jan 14, 2025 20:58:13.858660936 CET50214445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.858848095 CET44550215149.96.103.2192.168.2.9
                                  Jan 14, 2025 20:58:13.858910084 CET50215445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.858958006 CET50215445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:13.863749981 CET44550215149.96.103.2192.168.2.9
                                  Jan 14, 2025 20:58:14.223156929 CET50232445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:14.228162050 CET4455023233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:58:14.228290081 CET50232445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:14.228373051 CET50232445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:14.233124971 CET4455023233.222.99.1192.168.2.9
                                  Jan 14, 2025 20:58:14.631783009 CET4455004078.131.168.1192.168.2.9
                                  Jan 14, 2025 20:58:14.632021904 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:58:14.632021904 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:58:14.632078886 CET50040445192.168.2.978.131.168.1
                                  Jan 14, 2025 20:58:14.636919975 CET4455004078.131.168.1192.168.2.9
                                  Jan 14, 2025 20:58:14.636930943 CET4455004078.131.168.1192.168.2.9
                                  Jan 14, 2025 20:58:15.793692112 CET4455004194.116.139.1192.168.2.9
                                  Jan 14, 2025 20:58:15.793848991 CET50041445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:58:15.844402075 CET44550044195.72.16.1192.168.2.9
                                  Jan 14, 2025 20:58:15.844530106 CET50044445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:58:16.853118896 CET50160445192.168.2.9162.2.173.2
                                  Jan 14, 2025 20:58:16.853214025 CET50125445192.168.2.980.248.194.2
                                  Jan 14, 2025 20:58:16.853259087 CET50215445192.168.2.9149.96.103.2
                                  Jan 14, 2025 20:58:16.853283882 CET50062445192.168.2.9184.49.177.2
                                  Jan 14, 2025 20:58:16.853322983 CET50053445192.168.2.9146.143.226.2
                                  Jan 14, 2025 20:58:16.853348017 CET50071445192.168.2.991.124.228.2
                                  Jan 14, 2025 20:58:16.853384972 CET50084445192.168.2.9221.249.132.2
                                  Jan 14, 2025 20:58:16.853388071 CET50041445192.168.2.994.116.139.1
                                  Jan 14, 2025 20:58:16.853456974 CET50047445192.168.2.925.105.230.1
                                  Jan 14, 2025 20:58:16.853477955 CET50048445192.168.2.9159.220.151.1
                                  Jan 14, 2025 20:58:16.853513956 CET50051445192.168.2.960.253.217.1
                                  Jan 14, 2025 20:58:16.853543997 CET50044445192.168.2.9195.72.16.1
                                  Jan 14, 2025 20:58:16.853550911 CET50056445192.168.2.924.85.146.1
                                  Jan 14, 2025 20:58:16.853570938 CET50057445192.168.2.9190.48.125.1
                                  Jan 14, 2025 20:58:16.853598118 CET50060445192.168.2.9125.7.143.1
                                  Jan 14, 2025 20:58:16.853626966 CET50065445192.168.2.9143.189.238.1
                                  Jan 14, 2025 20:58:16.853684902 CET50069445192.168.2.9164.172.250.1
                                  Jan 14, 2025 20:58:16.853717089 CET50074445192.168.2.9216.145.81.1
                                  Jan 14, 2025 20:58:16.853740931 CET50075445192.168.2.9120.203.108.1
                                  Jan 14, 2025 20:58:16.853760958 CET50078445192.168.2.918.144.38.1
                                  Jan 14, 2025 20:58:16.853765011 CET50066445192.168.2.9208.237.91.1
                                  Jan 14, 2025 20:58:16.853787899 CET50082445192.168.2.9211.197.80.1
                                  Jan 14, 2025 20:58:16.853816032 CET50094445192.168.2.9192.251.179.1
                                  Jan 14, 2025 20:58:16.853862047 CET50091445192.168.2.918.4.104.2
                                  Jan 14, 2025 20:58:16.853904963 CET50086445192.168.2.993.252.137.1
                                  Jan 14, 2025 20:58:16.853913069 CET50135445192.168.2.9220.92.122.1
                                  Jan 14, 2025 20:58:16.853975058 CET50103445192.168.2.9108.154.178.2
                                  Jan 14, 2025 20:58:16.856129885 CET50232445192.168.2.933.222.99.1
                                  Jan 14, 2025 20:58:16.856129885 CET50111445192.168.2.946.72.240.1
                                  Jan 14, 2025 20:58:16.856138945 CET50174445192.168.2.995.189.127.1
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 14, 2025 20:57:57.979027033 CET138138192.168.2.9192.168.2.255

                                  Click to jump to process

                                  Click to jump to process

                                  Click to dive into process behavior distribution

                                  Click to jump to process

                                  Target ID:0
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\System32\loaddll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:loaddll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll"
                                  Imagebase:0x950000
                                  File size:126'464 bytes
                                  MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:1
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:3
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1
                                  Imagebase:0xc50000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:4
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\jpXNd6Kt8z.dll,PlayGame
                                  Imagebase:0x110000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:5
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",#1
                                  Imagebase:0x110000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:6
                                  Start time:14:57:09
                                  Start date:14/01/2025
                                  Path:C:\Windows\mssecsvc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\WINDOWS\mssecsvc.exe
                                  Imagebase:0x400000
                                  File size:3'723'264 bytes
                                  MD5 hash:F231DD1364C3E09C7885EE23750D87A2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1392551862.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1392661939.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1392661939.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                  • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 97%, ReversingLabs
                                  • Detection: 90%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:true

                                  Target ID:8
                                  Start time:14:57:10
                                  Start date:14/01/2025
                                  Path:C:\Windows\mssecsvc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\WINDOWS\mssecsvc.exe -m security
                                  Imagebase:0x400000
                                  File size:3'723'264 bytes
                                  MD5 hash:F231DD1364C3E09C7885EE23750D87A2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1399459695.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2040527467.000000000211B000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1399640398.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1399640398.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2040169439.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                  Reputation:low
                                  Has exited:true

                                  Target ID:9
                                  Start time:14:57:10
                                  Start date:14/01/2025
                                  Path:C:\Windows\tasksche.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\WINDOWS\tasksche.exe /i
                                  Imagebase:0x400000
                                  File size:3'514'368 bytes
                                  MD5 hash:3233ACED9279EF54267C479BBA665B90
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.1404985510.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 100%, ReversingLabs
                                  • Detection: 94%, Virustotal, Browse
                                  Reputation:moderate
                                  Has exited:true

                                  Target ID:10
                                  Start time:14:57:12
                                  Start date:14/01/2025
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\jpXNd6Kt8z.dll",PlayGame
                                  Imagebase:0x110000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:11
                                  Start time:14:57:12
                                  Start date:14/01/2025
                                  Path:C:\Windows\mssecsvc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\WINDOWS\mssecsvc.exe
                                  Imagebase:0x400000
                                  File size:3'723'264 bytes
                                  MD5 hash:F231DD1364C3E09C7885EE23750D87A2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1424940350.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1421594801.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1425091569.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1421736202.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1421736202.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                  Reputation:low
                                  Has exited:true

                                  Target ID:12
                                  Start time:14:57:12
                                  Start date:14/01/2025
                                  Path:C:\Windows\tasksche.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\WINDOWS\tasksche.exe /i
                                  Imagebase:0x400000
                                  File size:3'514'368 bytes
                                  MD5 hash:3233ACED9279EF54267C479BBA665B90
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.1423659379.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.1424384794.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
                                  Reputation:moderate
                                  Has exited:true

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:81.9%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:63.2%
                                    Total number of Nodes:38
                                    Total number of Limit Nodes:1
                                    execution_graph 63 409a16 __set_app_type __p__fmode __p__commode 64 409a85 63->64 65 409a99 64->65 66 409a8d __setusermatherr 64->66 75 409b8c _controlfp 65->75 66->65 68 409a9e _initterm __getmainargs _initterm 69 409af2 GetStartupInfoA 68->69 71 409b26 GetModuleHandleA 69->71 76 408140 InternetOpenA InternetOpenUrlA 71->76 75->68 77 4081a7 InternetCloseHandle InternetCloseHandle 76->77 80 408090 GetModuleFileNameA __p___argc 77->80 79 4081b2 exit _XcptFilter 81 4080b0 80->81 82 4080b9 OpenSCManagerA 80->82 91 407f20 81->91 83 408101 StartServiceCtrlDispatcherA 82->83 84 4080cf OpenServiceA 82->84 83->79 86 4080fc CloseServiceHandle 84->86 87 4080ee 84->87 86->83 96 407fa0 ChangeServiceConfig2A 87->96 90 4080f6 CloseServiceHandle 90->86 97 407c40 sprintf OpenSCManagerA 91->97 93 407f25 102 407ce0 GetModuleHandleW 93->102 96->90 98 407c74 CreateServiceA 97->98 99 407cca 97->99 100 407cbb CloseServiceHandle 98->100 101 407cad StartServiceA CloseServiceHandle 98->101 99->93 100->93 101->100 103 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 102->103 104 407f08 102->104 103->104 105 407d49 103->105 104->79 105->104 106 407d69 FindResourceA 105->106 106->104 107 407d84 LoadResource 106->107 107->104 108 407d94 LockResource 107->108 108->104 109 407da7 SizeofResource 108->109 109->104 110 407db9 sprintf sprintf MoveFileExA CreateFileA 109->110 110->104 111 407e54 WriteFile CloseHandle CreateProcessA 110->111 111->104 112 407ef2 CloseHandle CloseHandle 111->112 112->104

                                    Callgraph

                                    Control-flow Graph

                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
                                    • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                    • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                    • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                    • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                    • sprintf.MSVCRT ref: 00407E01
                                    • sprintf.MSVCRT ref: 00407E18
                                    • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                    • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                    • CloseHandle.KERNELBASE(00000000), ref: 00407E68
                                    • CreateProcessA.KERNELBASE ref: 00407EE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                    • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1409178149.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.1408979544.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409590551.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410785099.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                    • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                    • API String ID: 4281112323-1507730452
                                    • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                    • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                    • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                    • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

                                    Control-flow Graph

                                    APIs
                                    • sprintf.MSVCRT ref: 00407C56
                                    • OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
                                    • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1409178149.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.1408979544.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409590551.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410785099.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                    • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                    • API String ID: 3340711343-4063779371
                                    • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                    • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                    • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                    • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1409178149.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.1408979544.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409590551.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410785099.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                    • String ID:
                                    • API String ID: 801014965-0
                                    • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                    • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                    • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                    • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

                                    Control-flow Graph

                                    APIs
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                    • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                    • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1409178149.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.1408979544.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409590551.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410785099.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen
                                    • String ID:
                                    • API String ID: 435140893-0
                                    • Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
                                    • Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
                                    • Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
                                    • Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

                                    Control-flow Graph

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                    • __p___argc.MSVCRT ref: 004080A5
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                    • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                    • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1409178149.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000006.00000002.1408979544.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409590551.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1409611195.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410785099.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000006.00000002.1410954672.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                    • String ID: mssecsvc2.0
                                    • API String ID: 4274534310-3729025388
                                    • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                    • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                    • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                    • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

                                    Execution Graph

                                    Execution Coverage:34.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:36
                                    Total number of Limit Nodes:2

                                    Callgraph

                                    Control-flow Graph

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                    • __p___argc.MSVCRT ref: 004080A5
                                    • OpenSCManagerA.SECHOST(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                    • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                    • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2039343390.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000008.00000002.2039328916.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039359348.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039424346.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039438438.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                    • String ID: mssecsvc2.0
                                    • API String ID: 4274534310-3729025388
                                    • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                    • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                    • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                    • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

                                    Control-flow Graph

                                    APIs
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                    • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                    • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2039343390.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000008.00000002.2039328916.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039359348.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039424346.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039438438.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen
                                    • String ID:
                                    • API String ID: 435140893-0
                                    • Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
                                    • Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
                                    • Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
                                    • Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

                                    Control-flow Graph

                                    APIs
                                    • sprintf.MSVCRT ref: 00407C56
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                    • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2039343390.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000008.00000002.2039328916.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039359348.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039424346.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039438438.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                    • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                    • API String ID: 3340711343-4063779371
                                    • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                    • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                    • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                    • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 15 407ce0-407cfb GetModuleHandleW 16 407d01-407d43 GetProcAddress * 4 15->16 17 407f08-407f14 15->17 16->17 18 407d49-407d4f 16->18 18->17 19 407d55-407d5b 18->19 19->17 20 407d61-407d63 19->20 20->17 21 407d69-407d7e FindResourceA 20->21 21->17 22 407d84-407d8e LoadResource 21->22 22->17 23 407d94-407da1 LockResource 22->23 23->17 24 407da7-407db3 SizeofResource 23->24 24->17 25 407db9-407e4e sprintf * 2 MoveFileExA 24->25 25->17 27 407e54-407ef0 25->27 27->17 31 407ef2-407f01 27->31 31->17
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
                                    • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                    • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                    • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                    • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                    • sprintf.MSVCRT ref: 00407E01
                                    • sprintf.MSVCRT ref: 00407E18
                                    • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2039343390.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000008.00000002.2039328916.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039359348.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039424346.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039438438.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
                                    • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                    • API String ID: 4072214828-1507730452
                                    • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                    • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                    • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                    • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2039343390.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000008.00000002.2039328916.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039359348.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039373189.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039409496.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039424346.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039438438.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                    • Associated: 00000008.00000002.2039528639.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                    • String ID:
                                    • API String ID: 801014965-0
                                    • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                    • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                    • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                    • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                    APIs
                                    • memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: memcpy
                                    • String ID: /../$/..\$\../$\..\
                                    • API String ID: 3510742995-3885502717
                                    • Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                    • Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
                                    • Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
                                    • Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                    • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                    • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                    • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                    • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                    • API String ID: 2238633743-2459060434
                                    • Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                    • Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
                                    • Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
                                    • Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
                                    • OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
                                    • CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
                                    • CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandleOpen$ManagerStart
                                    • String ID: cmd.exe /c "%s"
                                    • API String ID: 1485051382-955883872
                                    • Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                    • Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
                                    • Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
                                    • Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
                                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
                                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
                                    • _CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
                                    • memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
                                    • memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrow$memcpy
                                    • String ID:
                                    • API String ID: 1881450474-3916222277
                                    • Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                    • Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
                                    • Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
                                    • Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58
                                    APIs
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
                                    • memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
                                    • GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
                                    • _local_unwind2.MSVCRT(?,000000FF), ref: 004016D6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
                                    • String ID: WANACRY!
                                    • API String ID: 283026544-1240840912
                                    • Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                    • Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
                                    • Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
                                    • Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrowmemcpy
                                    • String ID: $Q;@
                                    • API String ID: 2382887404-262343263
                                    • Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                    • Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
                                    • Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
                                    • Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrowmemcpy
                                    • String ID:
                                    • API String ID: 2382887404-3916222277
                                    • Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                    • Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
                                    • Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
                                    • Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58
                                    APIs
                                    • free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcessfree
                                    • String ID:
                                    • API String ID: 3428986607-0
                                    • Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                    • Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
                                    • Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
                                    • Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrow
                                    • String ID:
                                    • API String ID: 941485209-0
                                    • Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
                                    • Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
                                    • Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
                                    • Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrow
                                    • String ID:
                                    • API String ID: 941485209-0
                                    • Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
                                    • Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
                                    • Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
                                    • Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: memcpy
                                    • String ID:
                                    • API String ID: 3510742995-0
                                    • Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
                                    • Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
                                    • Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
                                    • Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44
                                    APIs
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ContextCryptRelease
                                    • String ID:
                                    • API String ID: 829835001-0
                                    • Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                    • Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
                                    • Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
                                    • Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
                                    • Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
                                    • Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
                                    • Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
                                    • Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
                                    • Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
                                    • Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4
                                    APIs
                                      • Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
                                      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8
                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
                                    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
                                    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
                                    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
                                    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
                                    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
                                    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
                                    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                    • API String ID: 2238633743-1294736154
                                    • Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                    • Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
                                    • Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
                                    • Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %s%s$%s%s%s$:$\
                                    • API String ID: 0-1100577047
                                    • Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                    • Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
                                    • Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
                                    • Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A
                                    APIs
                                    • __p___argv.MSVCRT(0040F538), ref: 00402040
                                    • strcmp.MSVCRT(?), ref: 0040204B
                                    • CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
                                    • GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076
                                      • Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97
                                    • strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
                                    • strrchr.MSVCRT(?,0000005C), ref: 004020AE
                                    • SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
                                      • Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                      • Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                      • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                      • Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMulusermePathWideWindows__p___argvstrcmpswprintf
                                    • String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
                                    • API String ID: 1074704982-2844324180
                                    • Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                    • Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
                                    • Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
                                    • Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28
                                    APIs
                                    • wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
                                    • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
                                    • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
                                    • strlen.MSVCRT(?), ref: 004011A7
                                    • RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
                                    • RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
                                    • SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00401203
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
                                    • String ID: 0@$Software\$WanaCrypt0r
                                    • API String ID: 865909632-3421300005
                                    • Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                    • Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
                                    • Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
                                    • Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
                                    • swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
                                    • GetFileAttributesW.KERNEL32(?), ref: 00401C10
                                    • swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
                                    • wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
                                    • wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD
                                      • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                      • Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
                                    • String ID: %s\Intel$%s\ProgramData
                                    • API String ID: 3806094219-198707228
                                    • Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                    • Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
                                    • Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
                                    • Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59
                                    APIs
                                      • Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463
                                    • SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
                                    • GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
                                    • memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7
                                      • Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5
                                    • SetLastError.KERNEL32(0000045A), ref: 00402430
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
                                    • String ID: ?!@$GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 1900561814-3657104962
                                    • Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                    • Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
                                    • Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
                                    • Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98
                                    APIs
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
                                    • GetFileAttributesW.KERNEL32(?), ref: 00401B2C
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
                                    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Directory$AttributesCreateCurrentFile$swprintf
                                    • String ID: %s\%s
                                    • API String ID: 1036847564-4073750446
                                    • Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                    • Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
                                    • Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
                                    • Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8
                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
                                    • WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
                                    • TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
                                    • CloseHandle.KERNEL32(?), ref: 004010EC
                                    • CloseHandle.KERNEL32(?), ref: 004010F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                    • String ID: D
                                    • API String ID: 786732093-2746444292
                                    • Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                    • Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
                                    • Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
                                    • Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8
                                    APIs
                                    • __set_app_type.MSVCRT(00000002), ref: 004077E7
                                    • __p__fmode.MSVCRT ref: 004077FC
                                    • __p__commode.MSVCRT ref: 0040780A
                                    • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                    • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                    • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
                                    • String ID:
                                    • API String ID: 3626615345-0
                                    • Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                    • Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
                                    • Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
                                    • Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59
                                    APIs
                                    • __setusermatherr.MSVCRT(0040793C), ref: 00407836
                                      • Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934
                                    • _initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
                                    • __getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
                                    • _initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
                                    • GetStartupInfoA.KERNEL32(?), ref: 004078BE
                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
                                    • exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
                                    • _XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
                                    • String ID:
                                    • API String ID: 2141228402-0
                                    • Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                    • Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
                                    • Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
                                    • Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59
                                    APIs
                                    • IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
                                    • realloc.MSVCRT(85000001,317459C0), ref: 00402854
                                    • IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Read$realloc
                                    • String ID: ?!@
                                    • API String ID: 1241503663-708128716
                                    • Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                    • Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
                                    • Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
                                    • Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: rand$wcslen$ComputerNamesrand
                                    • String ID:
                                    • API String ID: 3058258771-0
                                    • Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                    • Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
                                    • Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
                                    • Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8
                                    APIs
                                    • GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
                                    • memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
                                    • strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
                                    • strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
                                    • GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
                                    • String ID:
                                    • API String ID: 2935503933-0
                                    • Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                    • Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
                                    • Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
                                    • Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669
                                    APIs
                                    • sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
                                    • OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
                                    • Sleep.KERNEL32(000003E8), ref: 00401F40
                                    • CloseHandle.KERNEL32(00000000), ref: 00401F52
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleMutexOpenSleepsprintf
                                    • String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
                                    • API String ID: 2780352083-2959021817
                                    • Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                    • Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
                                    • Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
                                    • Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8
                                    APIs
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
                                    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
                                    • _CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??0exception@@ExceptionThrowmemcpy
                                    • String ID:
                                    • API String ID: 2382887404-0
                                    • Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                    • Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
                                    • Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
                                    • Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759
                                    APIs
                                    • fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
                                    • fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
                                    • fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
                                    • fclose.MSVCRT(00000000), ref: 00401058
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: fclosefopenfreadfwrite
                                    • String ID: c.wnry
                                    • API String ID: 4000964834-3240288721
                                    • Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                    • Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
                                    • Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
                                    • Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE
                                    APIs
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
                                    • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
                                    • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
                                    • _local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AllocCreateGlobalReadSize_local_unwind2
                                    • String ID:
                                    • API String ID: 2811923685-0
                                    • Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                    • Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
                                    • Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
                                    • Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
                                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Pointer$??2@Create
                                    • String ID:
                                    • API String ID: 1331958074-0
                                    • Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                    • Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
                                    • Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
                                    • Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69
                                    APIs
                                    • _stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
                                    • SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_stricmp
                                    • String ID: P!@
                                    • API String ID: 1278613211-1774101457
                                    • Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                    • Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
                                    • Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
                                    • Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85
                                    APIs
                                    • strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
                                    • GetFileAttributesA.KERNEL32(?), ref: 00401E6E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFilestrcmp
                                    • String ID: c.wnry
                                    • API String ID: 3324900478-3240288721
                                    • Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                    • Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
                                    • Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
                                    • Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA
                                    APIs
                                    • CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
                                    • ??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??3@CloseHandle
                                    • String ID: $l@
                                    • API String ID: 3816424416-2140230165
                                    • Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                    • Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
                                    • Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
                                    • Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC
                                    APIs
                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
                                    • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
                                    • LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
                                    • memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1406448359.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.1406413857.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406478076.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406507185.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
                                    • Associated: 00000009.00000002.1406527204.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_400000_tasksche.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$Leave$Entermemcpy
                                    • String ID:
                                    • API String ID: 3435569088-0
                                    • Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                    • Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
                                    • Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
                                    • Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65