Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gn8CvJE07O.dll

Overview

General Information

Sample name:Gn8CvJE07O.dll
renamed because original name is a hash value
Original sample name:8c3ac09b90b14e6ab2ecce1bb4e475b0.dll
Analysis ID:1592037
MD5:8c3ac09b90b14e6ab2ecce1bb4e475b0
SHA1:02f971a3e49ac0151b51126b0c2e41f556e65c32
SHA256:da8591758cf7f86fd5bafacb7ce10c2f0b282aa8793227ab0381e13e1273b70f
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4952 cmdline: loaddll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5840 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 4144 cmdline: rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6844 cmdline: rundll32.exe C:\Users\user\Desktop\Gn8CvJE07O.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 5728 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 121CCF162E02BDBEF5B5CD056933F4D3)
    • rundll32.exe (PID: 5560 cmdline: rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 5632 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 121CCF162E02BDBEF5B5CD056933F4D3)
  • mssecsvr.exe (PID: 6048 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 121CCF162E02BDBEF5B5CD056933F4D3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Gn8CvJE07O.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    Gn8CvJE07O.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    • 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
    • 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
    • 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
    Gn8CvJE07O.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0xf4d8:$x3: tasksche.exe
      • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0xf52c:$x5: WNcry@2ol7
      • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0xf42c:$s3: cmd.exe /c "%s"
      • 0x41980:$s4: msg/m_portuguese.wnry
      • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
      • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
      • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
      C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000002.2112704011.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000007.00000000.2091006153.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              00000009.00000000.2099567193.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                Click to see the 20 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                7.2.mssecsvr.exe.1d52084.3.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                7.2.mssecsvr.exe.22788c8.9.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                7.0.mssecsvr.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xe8d8:$x3: tasksche.exe
                • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xe92c:$x5: WNcry@2ol7
                • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xe82c:$s3: cmd.exe /c "%s"
                • 0x1e02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                • 0x1adc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                • 0x16c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                7.0.mssecsvr.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                9.0.mssecsvr.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xe8d8:$x3: tasksche.exe
                • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xe92c:$x5: WNcry@2ol7
                • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xe82c:$s3: cmd.exe /c "%s"
                • 0x1e02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                • 0x1adc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                • 0x16c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                Click to see the 93 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-15T17:25:07.281335+010028033043Unknown Traffic192.168.2.549704103.224.212.21580TCP
                2025-01-15T17:25:08.974759+010028033043Unknown Traffic192.168.2.549706103.224.212.21580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-15T17:25:06.342878+010028300181A Network Trojan was detected192.168.2.5510631.1.1.153UDP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Gn8CvJE07O.dllAvira: detected
                Antivirus detection for URL or domain
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f70fAvira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc03Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdcAvira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f7Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174edAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\WINDOWS\qeriuwjhrf (copy)ReversingLabs: Detection: 93%
                Source: C:\Windows\tasksche.exeReversingLabs: Detection: 93%
                Multi AV Scanner detection for submitted file
                Source: Gn8CvJE07O.dllVirustotal: Detection: 93%Perma Link
                Source: Gn8CvJE07O.dllReversingLabs: Detection: 92%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                Machine Learning detection for dropped file
                Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Gn8CvJE07O.dllJoe Sandbox ML: detected

                Exploits

                barindex
                Connects to many different private IPs (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Connects to many different private IPs via SMB (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Source: Gn8CvJE07O.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.5:51063 -> 1.1.1.1:53
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-07ad-ad4a-bba6e83174ed HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-0823-9d83-9e2f87dfdc03 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736958307.7566444
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-093d-a7ca-255010b2f70f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=0a70b268-8399-43f9-ab15-5dcb859153dc
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 103.224.212.215:80
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 103.224.212.215:80
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.78
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.78
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.78
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.78
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 62.144.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.119
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.119
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.119
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.119
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 38.200.252.1
                Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.58
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.58
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.58
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.58
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 130.171.163.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.71
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.71
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.71
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.71
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: unknownTCP traffic detected without corresponding DNS query: 137.94.76.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-07ad-ad4a-bba6e83174ed HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-0823-9d83-9e2f87dfdc03 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736958307.7566444
                Source: global trafficHTTP traffic detected: GET /?subid1=20250116-0325-093d-a7ca-255010b2f70f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=0a70b268-8399-43f9-ab15-5dcb859153dc
                Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: global trafficDNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: mssecsvr.exe, 00000005.00000002.2105056862.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000003.2081305191.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174
                Source: mssecsvr.exe, 00000007.00000002.2742173066.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2098213067.00000000009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc
                Source: mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.2111867249.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2113055371.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f7
                Source: Gn8CvJE07O.dllString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: mssecsvr.exe, 00000005.00000002.2105056862.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2105056862.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000002.2105056862.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2742173066.000000000099D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2742173066.0000000000977000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2113055371.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
                Source: mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%
                Source: mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8
                Source: mssecsvr.exe, 00000007.00000002.2741475855.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
                Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Yara detected Wannacry ransomware
                Source: Yara matchFile source: Gn8CvJE07O.dll, type: SAMPLE
                Source: Yara matchFile source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.22788c8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.22aa96c.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.1d52084.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.2287948.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.1d61104.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.mssecsvr.exe.22838e8.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2112704011.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2091006153.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2099567193.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2070776364.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2070885182.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2742720446.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2112821535.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2099679615.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2091118201.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2742964021.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 5728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 6048, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 5632, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\tasksche.exe, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Gn8CvJE07O.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: Gn8CvJE07O.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.1d52084.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.22788c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.22aa96c.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.22aa96c.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.22788c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.22788c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.22aa96c.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.22aa96c.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 7.2.mssecsvr.exe.1d52084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d52084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.2287948.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.2287948.8.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.1d61104.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.1d61104.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.2.mssecsvr.exe.22838e8.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.2.mssecsvr.exe.22838e8.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000005.00000000.2070885182.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000007.00000002.2742720446.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000009.00000002.2112821535.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000009.00000000.2099679615.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000007.00000000.2091118201.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000007.00000002.2742964021.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\WINDOWS\qeriuwjhrf (copy) 243AA13DFB3D28C50AD1F04BC39216DE15816E6646934F99ED86787B7161F765
                Source: Joe Sandbox ViewDropped File: C:\Windows\tasksche.exe 243AA13DFB3D28C50AD1F04BC39216DE15816E6646934F99ED86787B7161F765
                Source: tasksche.exe.5.drStatic PE information: No import functions for PE file found
                Source: Gn8CvJE07O.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: Gn8CvJE07O.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: Gn8CvJE07O.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.1d52084.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.22788c8.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.22aa96c.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.22aa96c.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d84128.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.22788c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.22788c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d84128.2.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.22aa96c.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.22aa96c.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.2.mssecsvr.exe.1d61104.4.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.2.mssecsvr.exe.2287948.8.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 5.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 7.2.mssecsvr.exe.1d52084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d52084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 9.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d5d0a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.2287948.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.2287948.8.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.1d61104.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.1d61104.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.2.mssecsvr.exe.22838e8.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.2.mssecsvr.exe.22838e8.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000005.00000000.2070885182.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000007.00000002.2742720446.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000009.00000002.2112821535.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000009.00000000.2099679615.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000007.00000000.2091118201.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000007.00000002.2742964021.0000000002287000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: tasksche.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: tasksche.exe.5.drStatic PE information: Section: .rdata ZLIB complexity 1.0007621951219512
                Source: tasksche.exe.5.drStatic PE information: Section: .data ZLIB complexity 1.001953125
                Source: tasksche.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 1.0007408405172413
                Source: Gn8CvJE07O.dll, tasksche.exe.5.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@18/2@2/100
                Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,7_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,5_2_00407CE0
                Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,5_2_00408090
                Source: C:\Windows\mssecsvr.exeCode function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,7_2_00408090
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
                Source: Gn8CvJE07O.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Gn8CvJE07O.dll,PlayGame
                Source: Gn8CvJE07O.dllVirustotal: Detection: 93%
                Source: Gn8CvJE07O.dllReversingLabs: Detection: 92%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll"
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Gn8CvJE07O.dll,PlayGame
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",PlayGame
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Gn8CvJE07O.dll,PlayGameJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",PlayGameJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: Gn8CvJE07O.dllStatic file information: File size 5267459 > 1048576
                Source: Gn8CvJE07O.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                Source: tasksche.exe.5.drStatic PE information: section name: .text entropy: 7.661200759124495

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                Source: C:\Windows\mssecsvr.exeDropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                Source: C:\Windows\mssecsvr.exeDropped PE file which has not been started: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exe TID: 6484Thread sleep count: 93 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 6484Thread sleep time: -186000s >= -30000sJump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 5428Thread sleep count: 127 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 5428Thread sleep count: 46 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 6484Thread sleep time: -86400000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                Source: mssecsvr.exe, 00000005.00000002.2105056862.0000000000C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx9
                Source: mssecsvr.exe, 00000005.00000002.2105056862.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}v
                Source: mssecsvr.exe, 00000009.00000002.2113055371.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
                Source: mssecsvr.exe, 00000005.00000002.2105056862.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2742173066.0000000000977000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000002.2742173066.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2113055371.0000000000B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: mssecsvr.exe, 00000009.00000002.2113055371.0000000000B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWSz
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1Jump to behavior

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Service Execution                		4
                Windows Service                		4
                Windows Service                		12
                Masquerading                		OS Credential Dumping1
                Network Share Discovery                		Remote ServicesData from Local System2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		11
                Process Injection                		21
                Virtualization/Sandbox Evasion                		LSASS Memory11
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		11
                Process Injection                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS1
                System Information Discovery                		Distributed Component Object ModelInput Capture3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Rundll32                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592037 Sample: Gn8CvJE07O.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 34 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->34 36 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->36 38 77026.bodis.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 7 other signatures 2->52 8 loaddll32.exe 1 2->8         started        10 mssecsvr.exe 12 2->10         started        signatures3 process4 dnsIp5 14 rundll32.exe 8->14         started        17 rundll32.exe 8->17         started        19 cmd.exe 1 8->19         started        21 conhost.exe 8->21         started        40 192.168.2.102 unknown unknown 10->40 42 192.168.2.103 unknown unknown 10->42 44 98 other IPs or domains 10->44 54 Connects to many different private IPs via SMB (likely to spread or exploit) 10->54 56 Connects to many different private IPs (likely to spread or exploit) 10->56 signatures6 process7 signatures8 58 Drops executables to the windows directory (C:\Windows) and starts them 14->58 23 mssecsvr.exe 13 14->23         started        26 mssecsvr.exe 13 17->26         started        28 rundll32.exe 1 19->28         started        process9 file10 30 C:\WINDOWS\qeriuwjhrf (copy), PE32 23->30 dropped 32 C:\Windows\tasksche.exe, PE32 26->32 dropped

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Gn8CvJE07O.dll93%VirustotalBrowse
                Gn8CvJE07O.dll92%ReversingLabsWin32.Ransomware.WannaCry
                Gn8CvJE07O.dll100%AviraTR/AD.DPulsarShellcode.gohtr
                Gn8CvJE07O.dll100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Windows\tasksche.exe100%Joe Sandbox ML
                C:\WINDOWS\qeriuwjhrf (copy)93%ReversingLabsWin32.Ransomware.WannaCry
                C:\Windows\tasksche.exe93%ReversingLabsWin32.Ransomware.WannaCry

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f70f100%Avira URL Cloudmalware
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc03100%Avira URL Cloudmalware
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc100%Avira URL Cloudmalware
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174100%Avira URL Cloudmalware
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f7100%Avira URL Cloudmalware
                http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174ed100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                77026.bodis.com
                		199.59.243.228
                		truefalse
                  		high
                  www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                  		103.224.212.215
                  		truefalse
                    		high
                    ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f70ffalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174edfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc03false
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174mssecsvr.exe, 00000005.00000002.2105056862.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000005.00000003.2081305191.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJmssecsvr.exe, 00000007.00000002.2741475855.000000000019D000.00000004.00000010.00020000.00000000.sdmpfalse
                          		high
                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comGn8CvJE07O.dllfalse
                              		high
                              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f7mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000003.2111867249.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000009.00000002.2113055371.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdcmssecsvr.exe, 00000007.00000002.2742173066.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000007.00000003.2098213067.00000000009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%mssecsvr.exe, 00000009.00000002.2113055371.0000000000AEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                222.71.154.1
                                		unknownChina
                                		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                38.200.252.119
                                		unknownUnited States
                                		9009M247GBfalse
                                18.169.197.90
                                		unknownUnited States
                                		3MIT-GATEWAYSUSfalse
                                167.103.158.41
                                		unknownAustralia
                                		27026NETWORKMARYLANDUSfalse
                                142.52.100.160
                                		unknownCanada
                                		852ASN852CAfalse
                                142.55.51.1
                                		unknownCanada
                                		5664SHERIDAN-NETCAfalse
                                138.192.221.107
                                		unknownUnited States
                                		21727HAMLINE-EDUUSfalse
                                97.96.228.22
                                		unknownUnited States
                                		33363BHN-33363USfalse
                                149.18.183.251
                                		unknownUnited States
                                		174COGENT-174USfalse
                                193.174.140.1
                                		unknownGermany
                                		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                136.248.250.1
                                		unknownUnited States
                                		10255SINISTERUSfalse
                                184.229.205.1
                                		unknownUnited States
                                		10507SPCSUSfalse
                                184.229.205.2
                                		unknownUnited States
                                		10507SPCSUSfalse
                                96.217.134.2
                                		unknownUnited States
                                		7922COMCAST-7922USfalse
                                96.217.134.1
                                		unknownUnited States
                                		7922COMCAST-7922USfalse
                                222.71.154.196
                                		unknownChina
                                		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                184.229.205.229
                                		unknownUnited States
                                		10507SPCSUSfalse
                                97.96.228.1
                                		unknownUnited States
                                		33363BHN-33363USfalse
                                142.52.100.1
                                		unknownCanada
                                		852ASN852CAfalse
                                149.18.183.2
                                		unknownUnited States
                                		174COGENT-174USfalse
                                149.18.183.1
                                		unknownUnited States
                                		174COGENT-174USfalse
                                157.200.4.162
                                		unknownFinland
                                		1759TSF-IP-CORETeliaFinlandOyjEUfalse
                                136.248.250.219
                                		unknownUnited States
                                		10255SINISTERUSfalse

                                Private

                                IP
                                192.168.2.148
                                192.168.2.149
                                192.168.2.146
                                192.168.2.147
                                192.168.2.140
                                192.168.2.141
                                192.168.2.144
                                192.168.2.145
                                192.168.2.142
                                192.168.2.143
                                192.168.2.159
                                192.168.2.157
                                192.168.2.158
                                192.168.2.151
                                192.168.2.152
                                192.168.2.150
                                192.168.2.155
                                192.168.2.156
                                192.168.2.153
                                192.168.2.154
                                192.168.2.126
                                192.168.2.247
                                192.168.2.127
                                192.168.2.248
                                192.168.2.124
                                192.168.2.245
                                192.168.2.125
                                192.168.2.246
                                192.168.2.128
                                192.168.2.249
                                192.168.2.129
                                192.168.2.240
                                192.168.2.122
                                192.168.2.243
                                192.168.2.123
                                192.168.2.244
                                192.168.2.120
                                192.168.2.241
                                192.168.2.121
                                192.168.2.242
                                192.168.2.97
                                192.168.2.137
                                192.168.2.96
                                192.168.2.138
                                192.168.2.99
                                192.168.2.135
                                192.168.2.98
                                192.168.2.136
                                192.168.2.139
                                192.168.2.250
                                192.168.2.130
                                192.168.2.251
                                192.168.2.91
                                192.168.2.90
                                192.168.2.93
                                192.168.2.133
                                192.168.2.254
                                192.168.2.92
                                192.168.2.134
                                192.168.2.95
                                192.168.2.131
                                192.168.2.252
                                192.168.2.94
                                192.168.2.132
                                192.168.2.253
                                192.168.2.104
                                192.168.2.225
                                192.168.2.105
                                192.168.2.226
                                192.168.2.102
                                192.168.2.223
                                192.168.2.103
                                192.168.2.224
                                192.168.2.108
                                192.168.2.229
                                192.168.2.109
                                192.168.2.106

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1592037
                                Start date and time:2025-01-15 17:24:11 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 34s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Gn8CvJE07O.dll
                                renamed because original name is a hash value
                                Original Sample Name:8c3ac09b90b14e6ab2ecce1bb4e475b0.dll
                                Detection:MAL
                                Classification:mal100.rans.expl.evad.winDLL@18/2@2/100
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .dll

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.17.190.73, 13.107.246.45, 4.175.87.197
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:25:08API Interceptor1x Sleep call for process: loaddll32.exe modified
                                11:25:42API Interceptor112x Sleep call for process: mssecsvr.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                77026.bodis.comzTrDsX9gXl.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                mLm1d1GV4R.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                V01vdyUACe.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                NLWfV87ouS.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                hVgcaX2SV8.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                GUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                D3W41IdtQA.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                F1G5BkUV74.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                04Ct9PoJrL.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                sLlAsC4I5r.dllGet hashmaliciousWannacryBrowse
                                • 199.59.243.228
                                www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comzTrDsX9gXl.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                mLm1d1GV4R.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                V01vdyUACe.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                NLWfV87ouS.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                hVgcaX2SV8.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                GUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                D3W41IdtQA.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                F1G5BkUV74.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                04Ct9PoJrL.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215
                                sLlAsC4I5r.dllGet hashmaliciousWannacryBrowse
                                • 103.224.212.215

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                MIT-GATEWAYSUSbot.x86.elfGet hashmaliciousUnknownBrowse
                                • 19.84.162.253
                                bot.spc.elfGet hashmaliciousUnknownBrowse
                                • 18.171.53.121
                                bot.sh4.elfGet hashmaliciousUnknownBrowse
                                • 19.23.38.27
                                bot.arm7.elfGet hashmaliciousMiraiBrowse
                                • 18.40.14.7
                                bot.ppc.elfGet hashmaliciousUnknownBrowse
                                • 18.118.14.174
                                https://www.databreachtoday.com/showOnDemand.php?webinarID=6054&rf=OD_REQUEST;Get hashmaliciousUnknownBrowse
                                • 18.66.123.144
                                xd.arm7.elfGet hashmaliciousMiraiBrowse
                                • 18.125.162.51
                                http://tweetfeed.liveGet hashmaliciousUnknownBrowse
                                • 18.173.205.19
                                xd.x86.elfGet hashmaliciousMiraiBrowse
                                • 19.121.31.251
                                xd.spc.elfGet hashmaliciousMiraiBrowse
                                • 19.88.242.164
                                CHINANET-SH-APChinaTelecomGroupCN2lX8Z3eydC.dllGet hashmaliciousWannacryBrowse
                                • 167.139.11.44
                                bot.x86.elfGet hashmaliciousUnknownBrowse
                                • 101.87.175.147
                                bot.spc.elfGet hashmaliciousUnknownBrowse
                                • 202.101.35.137
                                bot.m68k.elfGet hashmaliciousUnknownBrowse
                                • 180.152.101.163
                                bot.arm.elfGet hashmaliciousUnknownBrowse
                                • 114.87.176.14
                                i686.elfGet hashmaliciousMiraiBrowse
                                • 45.124.125.139
                                sh4.elfGet hashmaliciousMiraiBrowse
                                • 116.192.8.62
                                arm4.elfGet hashmaliciousMiraiBrowse
                                • 45.124.125.117
                                mpsl.elfGet hashmaliciousMiraiBrowse
                                • 222.69.32.67
                                178.215.238.129-x86-2025-01-15T04_59_51.elfGet hashmaliciousMiraiBrowse
                                • 116.233.80.35
                                M247GBbot.m68k.elfGet hashmaliciousUnknownBrowse
                                • 38.202.251.226
                                xd.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 172.86.99.140
                                mCgW5qofxC.dllGet hashmaliciousWannacryBrowse
                                • 38.202.131.61
                                UWYXurYZ2x.exeGet hashmaliciousLummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty StealerBrowse
                                • 185.244.212.106
                                80P.exeGet hashmaliciousI2PRATBrowse
                                • 193.148.16.211
                                ssb.elfGet hashmaliciousGafgytBrowse
                                • 89.33.192.138
                                sss.elfGet hashmaliciousGafgytBrowse
                                • 89.33.192.138
                                Space.i686.elfGet hashmaliciousUnknownBrowse
                                • 212.81.47.243
                                Space.arm.elfGet hashmaliciousMiraiBrowse
                                • 212.81.47.243
                                Space.sh4.elfGet hashmaliciousUnknownBrowse
                                • 212.81.47.243
                                NETWORKMARYLANDUSloligang.sh4.elfGet hashmaliciousMiraiBrowse
                                • 167.102.102.180
                                xd.ppc.elfGet hashmaliciousMiraiBrowse
                                • 167.103.97.127
                                yakuza.mipsel.elfGet hashmaliciousUnknownBrowse
                                • 167.103.1.29
                                na.elfGet hashmaliciousMirai, OkiruBrowse
                                • 167.102.178.208
                                na.elfGet hashmaliciousUnknownBrowse
                                • 167.103.233.229
                                Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                                • 167.102.133.99
                                mfQABKHhh1.elfGet hashmaliciousMiraiBrowse
                                • 167.103.6.202
                                93x9cBa5ox.elfGet hashmaliciousMirai, MoobotBrowse
                                • 167.102.102.190
                                EE9yU8bN9i.elfGet hashmaliciousUnknownBrowse
                                • 167.103.145.233
                                http://maryland.gov/Get hashmaliciousUnknownBrowse
                                • 167.102.44.40

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\WINDOWS\qeriuwjhrf (copy)o11cUvWfBt.dllGet hashmaliciousWannacryBrowse
                                  C:\Windows\tasksche.exeo11cUvWfBt.dllGet hashmaliciousWannacryBrowse

                                    Created / dropped Files

                                    C:\WINDOWS\qeriuwjhrf (copy)

                                    Download File
                                    Process:C:\Windows\mssecsvr.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):2061938
                                    Entropy (8bit):7.993423742312612
                                    Encrypted:true
                                    SSDEEP:49152:vEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:8PoBhz1aRxcSUDk36SAEdhvm
                                    MD5:1718AB24CBC39F6119C5E9C04578CE33
                                    SHA1:CE88507C49E55667A43C5F5FD40CA62D78BE71E1
                                    SHA-256:243AA13DFB3D28C50AD1F04BC39216DE15816E6646934F99ED86787B7161F765
                                    SHA-512:7EBBB2B526AE1EDB7A3ECBF65F47955CD88881829CBCCF40C5DB1A0B9FC99823DFA9384188A47FD5CA3B60EB62BE4108E99D53DE6433EE1D8CF52CE2A6FF0EAB
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 93%
                                    Joe Sandbox View:
                                    • Filename: o11cUvWfBt.dll, Detection: malicious, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\tasksche.exe

                                    Download File
                                    Process:C:\Windows\mssecsvr.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):2061938
                                    Entropy (8bit):7.993423742312612
                                    Encrypted:true
                                    SSDEEP:49152:vEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:8PoBhz1aRxcSUDk36SAEdhvm
                                    MD5:1718AB24CBC39F6119C5E9C04578CE33
                                    SHA1:CE88507C49E55667A43C5F5FD40CA62D78BE71E1
                                    SHA-256:243AA13DFB3D28C50AD1F04BC39216DE15816E6646934F99ED86787B7161F765
                                    SHA-512:7EBBB2B526AE1EDB7A3ECBF65F47955CD88881829CBCCF40C5DB1A0B9FC99823DFA9384188A47FD5CA3B60EB62BE4108E99D53DE6433EE1D8CF52CE2A6FF0EAB
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                    • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 93%
                                    Joe Sandbox View:
                                    • Filename: o11cUvWfBt.dll, Detection: malicious, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.327258624597166
                                    TrID:
                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                    • DOS Executable Generic (2002/1) 0.20%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Gn8CvJE07O.dll
                                    File size:5'267'459 bytes
                                    MD5:8c3ac09b90b14e6ab2ecce1bb4e475b0
                                    SHA1:02f971a3e49ac0151b51126b0c2e41f556e65c32
                                    SHA256:da8591758cf7f86fd5bafacb7ce10c2f0b282aa8793227ab0381e13e1273b70f
                                    SHA512:2c6da241525acb04262e24b8e8930f7292b7a3c926896d9f05d9b17ac272ec5d671f4e1fee16e48f0084837c405bad53aa68f03cde860b58e67269f00eeb1fc3
                                    SSDEEP:49152:RnxEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1yPoBhz1aRxcSUDk36SAEdhv
                                    TLSH:BB363369717CD2FCD105297444ABCA63A3B37C6A16FE6A0F8F4089661D03B59FB90B43
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                    File Icon

                                    Icon Hash:7ae282899bbab082

                                    Static PE Info

                                    General

                                    Entrypoint:0x100011e9
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x10000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                    DLL Characteristics:
                                    Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    push ebx
                                    mov ebx, dword ptr [ebp+08h]
                                    push esi
                                    mov esi, dword ptr [ebp+0Ch]
                                    push edi
                                    mov edi, dword ptr [ebp+10h]
                                    test esi, esi
                                    jne 00007F262CF584ABh
                                    cmp dword ptr [10003140h], 00000000h
                                    jmp 00007F262CF584C8h
                                    cmp esi, 01h
                                    je 00007F262CF584A7h
                                    cmp esi, 02h
                                    jne 00007F262CF584C4h
                                    mov eax, dword ptr [10003150h]
                                    test eax, eax
                                    je 00007F262CF584ABh
                                    push edi
                                    push esi
                                    push ebx
                                    call eax
                                    test eax, eax
                                    je 00007F262CF584AEh
                                    push edi
                                    push esi
                                    push ebx
                                    call 00007F262CF583BAh
                                    test eax, eax
                                    jne 00007F262CF584A6h
                                    xor eax, eax
                                    jmp 00007F262CF584F0h
                                    push edi
                                    push esi
                                    push ebx
                                    call 00007F262CF5826Ch
                                    cmp esi, 01h
                                    mov dword ptr [ebp+0Ch], eax
                                    jne 00007F262CF584AEh
                                    test eax, eax
                                    jne 00007F262CF584D9h
                                    push edi
                                    push eax
                                    push ebx
                                    call 00007F262CF58396h
                                    test esi, esi
                                    je 00007F262CF584A7h
                                    cmp esi, 03h
                                    jne 00007F262CF584C8h
                                    push edi
                                    push esi
                                    push ebx
                                    call 00007F262CF58385h
                                    test eax, eax
                                    jne 00007F262CF584A5h
                                    and dword ptr [ebp+0Ch], eax
                                    cmp dword ptr [ebp+0Ch], 00000000h
                                    je 00007F262CF584B3h
                                    mov eax, dword ptr [10003150h]
                                    test eax, eax
                                    je 00007F262CF584AAh
                                    push edi
                                    push esi
                                    push ebx
                                    call eax
                                    mov dword ptr [ebp+0Ch], eax
                                    mov eax, dword ptr [ebp+0Ch]
                                    pop edi
                                    pop esi
                                    pop ebx
                                    pop ebp
                                    retn 000Ch
                                    jmp dword ptr [10002028h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS98 (6.0) build 8168
                                    • [C++] VS98 (6.0) build 8168
                                    • [RES] VS98 (6.0) cvtres build 1720
                                    • [LNK] VS98 (6.0) imp/exp build 8168

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x28c0x10008de9a2cb31e4c74bd008b871d14bfafcFalse0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x20000x1d80x10003dd394f95ab218593f2bc8eb65184db4False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x30000x1540x10009b27c3f254416f775f5a51102ef8fb84False0.016845703125Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 00.085726967663312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x40000x5000600x50100073051abe1744c090ecb1850e01a3b45bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x5050000x2ac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    W0x40600x500000dataEnglishUnited States0.880279541015625

                                    Imports

                                    DLLImport
                                    KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                    MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                    Exports

                                    NameOrdinalAddress
                                    PlayGame10x10001114

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-15T17:25:06.342878+01002830018ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)1192.168.2.5510631.1.1.153UDP
                                    2025-01-15T17:25:07.281335+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549704103.224.212.21580TCP
                                    2025-01-15T17:25:08.974759+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549706103.224.212.21580TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 15, 2025 17:25:01.248265982 CET49674443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:01.248538971 CET49675443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:01.388860941 CET49673443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:06.658312082 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:06.663285971 CET8049704103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:06.663392067 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:06.663515091 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:06.668385029 CET8049704103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:07.280993938 CET8049704103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:07.281167030 CET8049704103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:07.281335115 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:07.281336069 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:07.287476063 CET4970480192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:07.293076038 CET8049704103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:07.622910976 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:07.627806902 CET8049705199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:07.627890110 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:07.628016949 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:07.632844925 CET8049705199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:08.092154026 CET8049705199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:08.092201948 CET8049705199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:08.092283964 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.092283964 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.098498106 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.098536968 CET4970580192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.348319054 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.353976011 CET8049706103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:08.354072094 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.354192019 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.359452963 CET8049706103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:08.974560976 CET8049706103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:08.974626064 CET8049706103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:08.974759102 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.974759102 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.978240967 CET4970680192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:08.982441902 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.983052015 CET8049706103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:08.987412930 CET8049707199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:08.987521887 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.987662077 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:08.992554903 CET8049707199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:09.218055010 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:09.223426104 CET8049708103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:09.223541975 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:09.223841906 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:09.228708029 CET8049708103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:09.453062057 CET8049707199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:09.453125000 CET8049707199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:09.453340054 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.460108042 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.460108042 CET4970780192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.494812965 CET49709445192.168.2.562.144.252.78
                                    Jan 15, 2025 17:25:09.499840975 CET4454970962.144.252.78192.168.2.5
                                    Jan 15, 2025 17:25:09.499962091 CET49709445192.168.2.562.144.252.78
                                    Jan 15, 2025 17:25:09.499999046 CET49709445192.168.2.562.144.252.78
                                    Jan 15, 2025 17:25:09.500334978 CET49710445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.505131006 CET4454970962.144.252.78192.168.2.5
                                    Jan 15, 2025 17:25:09.505201101 CET49709445192.168.2.562.144.252.78
                                    Jan 15, 2025 17:25:09.505459070 CET4454971062.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:09.505743027 CET49710445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.505784988 CET49710445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.508984089 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.511507988 CET4454971062.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:09.511660099 CET4454971062.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:09.511734962 CET49710445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.514761925 CET4454971162.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:09.515361071 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.515403986 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:09.521040916 CET4454971162.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:09.864445925 CET8049708103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:09.864669085 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:09.866724014 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:09.867794991 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.872684956 CET8049720199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:09.872764111 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.872867107 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:09.877677917 CET8049720199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:09.887528896 CET8049708103.224.212.215192.168.2.5
                                    Jan 15, 2025 17:25:09.887737036 CET4970880192.168.2.5103.224.212.215
                                    Jan 15, 2025 17:25:10.342937946 CET8049720199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:10.342984915 CET8049720199.59.243.228192.168.2.5
                                    Jan 15, 2025 17:25:10.343028069 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:10.343066931 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:10.349958897 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:10.350007057 CET4972080192.168.2.5199.59.243.228
                                    Jan 15, 2025 17:25:10.857572079 CET49675443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:10.857695103 CET49674443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:10.998194933 CET49673443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:11.499468088 CET49735445192.168.2.538.200.252.119
                                    Jan 15, 2025 17:25:11.504738092 CET4454973538.200.252.119192.168.2.5
                                    Jan 15, 2025 17:25:11.507730007 CET49735445192.168.2.538.200.252.119
                                    Jan 15, 2025 17:25:11.507740974 CET49735445192.168.2.538.200.252.119
                                    Jan 15, 2025 17:25:11.508150101 CET49736445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.513067961 CET4454973638.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:11.513173103 CET4454973538.200.252.119192.168.2.5
                                    Jan 15, 2025 17:25:11.513241053 CET49735445192.168.2.538.200.252.119
                                    Jan 15, 2025 17:25:11.513343096 CET49736445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.513343096 CET49736445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.514427900 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.518318892 CET4454973638.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:11.519282103 CET4454973738.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:11.519354105 CET49736445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.519375086 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.519417048 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:11.524234056 CET4454973738.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:12.807115078 CET4434970323.1.237.91192.168.2.5
                                    Jan 15, 2025 17:25:12.807322979 CET49703443192.168.2.523.1.237.91
                                    Jan 15, 2025 17:25:13.515423059 CET49760445192.168.2.5130.171.163.58
                                    Jan 15, 2025 17:25:13.520628929 CET44549760130.171.163.58192.168.2.5
                                    Jan 15, 2025 17:25:13.520719051 CET49760445192.168.2.5130.171.163.58
                                    Jan 15, 2025 17:25:13.520761013 CET49760445192.168.2.5130.171.163.58
                                    Jan 15, 2025 17:25:13.521017075 CET49761445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.525829077 CET44549760130.171.163.58192.168.2.5
                                    Jan 15, 2025 17:25:13.525928974 CET44549761130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:13.526000977 CET49760445192.168.2.5130.171.163.58
                                    Jan 15, 2025 17:25:13.526038885 CET49761445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.526125908 CET49761445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.527206898 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.531131029 CET44549761130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:13.531193972 CET49761445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.532253981 CET44549762130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:13.532335043 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.532380104 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:13.537180901 CET44549762130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:15.531944036 CET49785445192.168.2.5137.94.76.71
                                    Jan 15, 2025 17:25:15.537210941 CET44549785137.94.76.71192.168.2.5
                                    Jan 15, 2025 17:25:15.537286043 CET49785445192.168.2.5137.94.76.71
                                    Jan 15, 2025 17:25:15.537339926 CET49785445192.168.2.5137.94.76.71
                                    Jan 15, 2025 17:25:15.537543058 CET49786445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.542423010 CET44549786137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:15.542562962 CET49786445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.542601109 CET49786445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.542659044 CET44549785137.94.76.71192.168.2.5
                                    Jan 15, 2025 17:25:15.542715073 CET49785445192.168.2.5137.94.76.71
                                    Jan 15, 2025 17:25:15.544028044 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.547569036 CET44549786137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:15.547719955 CET44549786137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:15.547774076 CET49786445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.548850060 CET44549787137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:15.548911095 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.548949003 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:15.553991079 CET44549787137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:17.546506882 CET49806445192.168.2.5149.18.183.251
                                    Jan 15, 2025 17:25:17.551399946 CET44549806149.18.183.251192.168.2.5
                                    Jan 15, 2025 17:25:17.551503897 CET49806445192.168.2.5149.18.183.251
                                    Jan 15, 2025 17:25:17.551532984 CET49806445192.168.2.5149.18.183.251
                                    Jan 15, 2025 17:25:17.551706076 CET49807445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.556529999 CET44549807149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:17.556601048 CET49807445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.556662083 CET44549806149.18.183.251192.168.2.5
                                    Jan 15, 2025 17:25:17.556667089 CET49807445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.556720018 CET49806445192.168.2.5149.18.183.251
                                    Jan 15, 2025 17:25:17.557641983 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.561644077 CET44549807149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:17.561816931 CET49807445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.562540054 CET44549808149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:17.562623024 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.562731028 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:17.567537069 CET44549808149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:19.561610937 CET49831445192.168.2.5171.68.51.19
                                    Jan 15, 2025 17:25:19.566489935 CET44549831171.68.51.19192.168.2.5
                                    Jan 15, 2025 17:25:19.566611052 CET49831445192.168.2.5171.68.51.19
                                    Jan 15, 2025 17:25:19.566679955 CET49831445192.168.2.5171.68.51.19
                                    Jan 15, 2025 17:25:19.566850901 CET49832445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.571701050 CET44549831171.68.51.19192.168.2.5
                                    Jan 15, 2025 17:25:19.571732044 CET44549832171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:19.571787119 CET49831445192.168.2.5171.68.51.19
                                    Jan 15, 2025 17:25:19.571840048 CET49832445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.571929932 CET49832445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.573076963 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.577300072 CET44549832171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:19.577378035 CET49832445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.577871084 CET44549833171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:19.577976942 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.578130007 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:19.582969904 CET44549833171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:21.577261925 CET49862445192.168.2.516.176.209.58
                                    Jan 15, 2025 17:25:21.582226992 CET4454986216.176.209.58192.168.2.5
                                    Jan 15, 2025 17:25:21.582429886 CET49862445192.168.2.516.176.209.58
                                    Jan 15, 2025 17:25:21.582429886 CET49862445192.168.2.516.176.209.58
                                    Jan 15, 2025 17:25:21.582571030 CET49864445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.587407112 CET4454986416.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:21.587460995 CET4454986216.176.209.58192.168.2.5
                                    Jan 15, 2025 17:25:21.587486029 CET49864445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.587511063 CET49864445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.587651014 CET49862445192.168.2.516.176.209.58
                                    Jan 15, 2025 17:25:21.588063002 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.592629910 CET4454986416.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:21.592695951 CET49864445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.592940092 CET4454986516.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:21.593126059 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.593126059 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:21.598067045 CET4454986516.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:23.593106031 CET49898445192.168.2.596.217.134.16
                                    Jan 15, 2025 17:25:23.598001003 CET4454989896.217.134.16192.168.2.5
                                    Jan 15, 2025 17:25:23.598090887 CET49898445192.168.2.596.217.134.16
                                    Jan 15, 2025 17:25:23.598233938 CET49898445192.168.2.596.217.134.16
                                    Jan 15, 2025 17:25:23.598371029 CET49899445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.603127956 CET4454989896.217.134.16192.168.2.5
                                    Jan 15, 2025 17:25:23.603221893 CET49898445192.168.2.596.217.134.16
                                    Jan 15, 2025 17:25:23.603240013 CET4454989996.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:23.603318930 CET49899445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.603332043 CET49899445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.603619099 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.608474016 CET4454990096.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:23.608584881 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.608584881 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.609004974 CET4454989996.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:23.609070063 CET49899445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:23.613454103 CET4454990096.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:25.608061075 CET49939445192.168.2.5184.229.205.229
                                    Jan 15, 2025 17:25:25.612921000 CET44549939184.229.205.229192.168.2.5
                                    Jan 15, 2025 17:25:25.613996029 CET49939445192.168.2.5184.229.205.229
                                    Jan 15, 2025 17:25:25.614192963 CET49939445192.168.2.5184.229.205.229
                                    Jan 15, 2025 17:25:25.614348888 CET49940445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.619183064 CET44549939184.229.205.229192.168.2.5
                                    Jan 15, 2025 17:25:25.619214058 CET44549940184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:25.619308949 CET49939445192.168.2.5184.229.205.229
                                    Jan 15, 2025 17:25:25.619513035 CET49940445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.619513035 CET49940445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.619858027 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.624468088 CET44549940184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:25.624756098 CET44549941184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:25.624829054 CET49940445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.625195026 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.625195980 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:25.630060911 CET44549941184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:27.623694897 CET49975445192.168.2.518.169.197.90
                                    Jan 15, 2025 17:25:27.628516912 CET4454997518.169.197.90192.168.2.5
                                    Jan 15, 2025 17:25:27.628607988 CET49975445192.168.2.518.169.197.90
                                    Jan 15, 2025 17:25:27.628690004 CET49975445192.168.2.518.169.197.90
                                    Jan 15, 2025 17:25:27.628818035 CET49976445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.633652925 CET4454997618.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:27.633666992 CET4454997518.169.197.90192.168.2.5
                                    Jan 15, 2025 17:25:27.633722067 CET49976445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.633749962 CET49975445192.168.2.518.169.197.90
                                    Jan 15, 2025 17:25:27.633821011 CET49976445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.634053946 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.638885021 CET4454997718.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:27.639074087 CET4454997618.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:27.639174938 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.639174938 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.641876936 CET49976445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:27.643965960 CET4454997718.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:29.639405012 CET50010445192.168.2.5193.174.140.137
                                    Jan 15, 2025 17:25:29.644304037 CET44550010193.174.140.137192.168.2.5
                                    Jan 15, 2025 17:25:29.645796061 CET50010445192.168.2.5193.174.140.137
                                    Jan 15, 2025 17:25:29.645881891 CET50010445192.168.2.5193.174.140.137
                                    Jan 15, 2025 17:25:29.646034956 CET50011445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.650816917 CET44550011193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:29.650878906 CET50011445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.650926113 CET50011445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.650981903 CET44550010193.174.140.137192.168.2.5
                                    Jan 15, 2025 17:25:29.651209116 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.651227951 CET50010445192.168.2.5193.174.140.137
                                    Jan 15, 2025 17:25:29.655989885 CET44550011193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:29.656054020 CET44550012193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:29.656119108 CET50011445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.656162977 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.656205893 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:29.660964012 CET44550012193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:30.896584034 CET4454971162.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:30.896661043 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:30.896761894 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:30.896919966 CET49711445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:30.901566982 CET4454971162.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:30.901710987 CET4454971162.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:31.655102968 CET50045445192.168.2.536.153.240.171
                                    Jan 15, 2025 17:25:31.660022020 CET4455004536.153.240.171192.168.2.5
                                    Jan 15, 2025 17:25:31.660221100 CET50045445192.168.2.536.153.240.171
                                    Jan 15, 2025 17:25:31.660221100 CET50045445192.168.2.536.153.240.171
                                    Jan 15, 2025 17:25:31.660561085 CET50046445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.665257931 CET4455004536.153.240.171192.168.2.5
                                    Jan 15, 2025 17:25:31.665304899 CET4455004636.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:31.665352106 CET50045445192.168.2.536.153.240.171
                                    Jan 15, 2025 17:25:31.665649891 CET50046445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.665649891 CET50046445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.665868044 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.670676947 CET4455004636.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:31.670701027 CET4455004736.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:31.670762062 CET50046445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.670804977 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.673702955 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:31.678452015 CET4455004736.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:32.897999048 CET4454973738.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:32.898197889 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:32.898197889 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:32.898401022 CET49737445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:32.903065920 CET4454973738.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:32.903139114 CET4454973738.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:33.670656919 CET50080445192.168.2.5142.52.100.160
                                    Jan 15, 2025 17:25:33.675621033 CET44550080142.52.100.160192.168.2.5
                                    Jan 15, 2025 17:25:33.675720930 CET50080445192.168.2.5142.52.100.160
                                    Jan 15, 2025 17:25:33.675806999 CET50080445192.168.2.5142.52.100.160
                                    Jan 15, 2025 17:25:33.676014900 CET50081445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.681070089 CET44550081142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:33.681082964 CET44550080142.52.100.160192.168.2.5
                                    Jan 15, 2025 17:25:33.681150913 CET50080445192.168.2.5142.52.100.160
                                    Jan 15, 2025 17:25:33.681173086 CET50081445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.681245089 CET50081445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.681658983 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.686142921 CET44550081142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:33.686217070 CET50081445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.686741114 CET44550082142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:33.686815977 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.686839104 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:33.691735029 CET44550082142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:33.904794931 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:33.909828901 CET4455008862.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:33.909915924 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:33.909964085 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:33.914989948 CET4455008862.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:34.944904089 CET44549762130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:34.945116997 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:34.945116997 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:34.945116997 CET49762445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:34.950140953 CET44549762130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:34.950150013 CET44549762130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:35.686323881 CET50102445192.168.2.5136.248.250.219
                                    Jan 15, 2025 17:25:35.691198111 CET44550102136.248.250.219192.168.2.5
                                    Jan 15, 2025 17:25:35.691262007 CET50102445192.168.2.5136.248.250.219
                                    Jan 15, 2025 17:25:35.691351891 CET50102445192.168.2.5136.248.250.219
                                    Jan 15, 2025 17:25:35.691551924 CET50103445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.696255922 CET44550102136.248.250.219192.168.2.5
                                    Jan 15, 2025 17:25:35.696319103 CET50102445192.168.2.5136.248.250.219
                                    Jan 15, 2025 17:25:35.696381092 CET44550103136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:35.696451902 CET50103445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.696491003 CET50103445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.696747065 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.701394081 CET44550103136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:35.701447964 CET50103445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.701529980 CET44550104136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:35.701592922 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.701627016 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:35.706410885 CET44550104136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:35.904892921 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:35.910531998 CET4455010538.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:35.910617113 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:35.910665989 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:35.916079998 CET4455010538.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:36.927802086 CET44549787137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:36.927958012 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:36.927958012 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:36.927988052 CET49787445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:36.932782888 CET44549787137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:36.932791948 CET44549787137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:37.701873064 CET50117445192.168.2.5187.253.170.44
                                    Jan 15, 2025 17:25:37.706866980 CET44550117187.253.170.44192.168.2.5
                                    Jan 15, 2025 17:25:37.706947088 CET50117445192.168.2.5187.253.170.44
                                    Jan 15, 2025 17:25:37.706984997 CET50117445192.168.2.5187.253.170.44
                                    Jan 15, 2025 17:25:37.707098961 CET50118445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.711941957 CET44550118187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:37.711957932 CET44550117187.253.170.44192.168.2.5
                                    Jan 15, 2025 17:25:37.712016106 CET50117445192.168.2.5187.253.170.44
                                    Jan 15, 2025 17:25:37.712085962 CET50118445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.712085962 CET50118445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.712253094 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.717030048 CET44550119187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:37.717037916 CET44550118187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:37.717092991 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.717103004 CET50118445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.717134953 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:37.721906900 CET44550119187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:37.951603889 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:37.956480026 CET44550124130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:37.956562042 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:37.956603050 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:37.961359024 CET44550124130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:38.960728884 CET44549808149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:38.960995913 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:38.961070061 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:38.961146116 CET49808445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:38.965783119 CET44549808149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:38.965863943 CET44549808149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:39.717591047 CET50135445192.168.2.5218.101.231.161
                                    Jan 15, 2025 17:25:39.722486019 CET44550135218.101.231.161192.168.2.5
                                    Jan 15, 2025 17:25:39.722619057 CET50135445192.168.2.5218.101.231.161
                                    Jan 15, 2025 17:25:39.722664118 CET50135445192.168.2.5218.101.231.161
                                    Jan 15, 2025 17:25:39.722738981 CET50136445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.727477074 CET44550135218.101.231.161192.168.2.5
                                    Jan 15, 2025 17:25:39.727616072 CET44550136218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:25:39.727689028 CET50136445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.727689028 CET50136445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.727713108 CET44550135218.101.231.161192.168.2.5
                                    Jan 15, 2025 17:25:39.727793932 CET50135445192.168.2.5218.101.231.161
                                    Jan 15, 2025 17:25:39.727907896 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.732693911 CET44550136218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:25:39.732703924 CET44550137218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:25:39.732748032 CET50136445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.732764006 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.732764006 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:25:39.737560987 CET44550137218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:25:39.935982943 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:39.940818071 CET44550139137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:39.940892935 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:39.941054106 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:25:39.945887089 CET44550139137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:25:40.946423054 CET44549833171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:40.946542025 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:40.946760893 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:40.947020054 CET49833445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:40.951692104 CET44549833171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:40.951771975 CET44549833171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:41.733191013 CET50150445192.168.2.5116.10.21.233
                                    Jan 15, 2025 17:25:41.738024950 CET44550150116.10.21.233192.168.2.5
                                    Jan 15, 2025 17:25:41.738109112 CET50150445192.168.2.5116.10.21.233
                                    Jan 15, 2025 17:25:41.738179922 CET50150445192.168.2.5116.10.21.233
                                    Jan 15, 2025 17:25:41.738332987 CET50151445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.743140936 CET44550150116.10.21.233192.168.2.5
                                    Jan 15, 2025 17:25:41.743155003 CET44550151116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:25:41.743202925 CET50150445192.168.2.5116.10.21.233
                                    Jan 15, 2025 17:25:41.743251085 CET50151445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.743285894 CET50151445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.743591070 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.748367071 CET44550152116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:25:41.748450994 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.748450994 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.748673916 CET44550151116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:25:41.748737097 CET50151445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:25:41.753264904 CET44550152116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:25:41.967392921 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:41.972367048 CET44550156149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:41.972596884 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:41.972596884 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:25:41.977418900 CET44550156149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:25:42.974783897 CET4454986516.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:42.974951982 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:42.975044966 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:42.975044966 CET49865445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:42.979856014 CET4454986516.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:42.979866028 CET4454986516.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:43.748822927 CET50168445192.168.2.589.148.186.21
                                    Jan 15, 2025 17:25:43.754973888 CET4455016889.148.186.21192.168.2.5
                                    Jan 15, 2025 17:25:43.758344889 CET50168445192.168.2.589.148.186.21
                                    Jan 15, 2025 17:25:43.760968924 CET50168445192.168.2.589.148.186.21
                                    Jan 15, 2025 17:25:43.761001110 CET50169445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.767098904 CET4455016989.148.186.1192.168.2.5
                                    Jan 15, 2025 17:25:43.767129898 CET4455016889.148.186.21192.168.2.5
                                    Jan 15, 2025 17:25:43.767230988 CET50168445192.168.2.589.148.186.21
                                    Jan 15, 2025 17:25:43.767246008 CET50169445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.767271042 CET50169445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.767537117 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.773675919 CET4455017089.148.186.1192.168.2.5
                                    Jan 15, 2025 17:25:43.773793936 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.773834944 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.775567055 CET4455016989.148.186.1192.168.2.5
                                    Jan 15, 2025 17:25:43.778055906 CET50169445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:25:43.779870033 CET4455017089.148.186.1192.168.2.5
                                    Jan 15, 2025 17:25:43.951916933 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:43.961131096 CET44550172171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:43.962189913 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:43.962307930 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:25:43.967422962 CET44550172171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:25:44.976511002 CET4454990096.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:44.976593018 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:44.976632118 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:44.976687908 CET49900445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:44.982266903 CET4454990096.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:44.982403040 CET4454990096.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:45.623693943 CET50183445192.168.2.5148.208.193.183
                                    Jan 15, 2025 17:25:45.628566027 CET44550183148.208.193.183192.168.2.5
                                    Jan 15, 2025 17:25:45.628662109 CET50183445192.168.2.5148.208.193.183
                                    Jan 15, 2025 17:25:45.628662109 CET50183445192.168.2.5148.208.193.183
                                    Jan 15, 2025 17:25:45.628876925 CET50184445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.633697987 CET44550183148.208.193.183192.168.2.5
                                    Jan 15, 2025 17:25:45.633709908 CET44550184148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:25:45.633770943 CET50183445192.168.2.5148.208.193.183
                                    Jan 15, 2025 17:25:45.633816957 CET50184445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.633882046 CET50184445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.634265900 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.638740063 CET44550184148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:25:45.638804913 CET50184445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.639091969 CET44550185148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:25:45.639336109 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.639355898 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:25:45.644097090 CET44550185148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:25:45.982870102 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:45.987801075 CET4455018916.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:45.988033056 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:45.988058090 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:25:45.992882967 CET4455018916.176.209.1192.168.2.5
                                    Jan 15, 2025 17:25:47.006402016 CET44549941184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:47.006503105 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:47.006567001 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:47.006597042 CET49941445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:47.011382103 CET44549941184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:47.011394978 CET44549941184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:47.374002934 CET50198445192.168.2.5222.71.154.196
                                    Jan 15, 2025 17:25:47.378793955 CET44550198222.71.154.196192.168.2.5
                                    Jan 15, 2025 17:25:47.378876925 CET50198445192.168.2.5222.71.154.196
                                    Jan 15, 2025 17:25:47.378901005 CET50198445192.168.2.5222.71.154.196
                                    Jan 15, 2025 17:25:47.379019976 CET50199445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.383799076 CET44550199222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:25:47.383848906 CET44550198222.71.154.196192.168.2.5
                                    Jan 15, 2025 17:25:47.383863926 CET50199445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.383903980 CET50199445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.383914948 CET50198445192.168.2.5222.71.154.196
                                    Jan 15, 2025 17:25:47.384274006 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.389027119 CET44550199222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:25:47.389044046 CET44550200222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:25:47.389128923 CET50199445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.389169931 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.389209032 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:25:47.393982887 CET44550200222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:25:47.983051062 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:47.987848043 CET4455020496.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:47.987977982 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:47.987993956 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:25:47.992767096 CET4455020496.217.134.1192.168.2.5
                                    Jan 15, 2025 17:25:49.006659031 CET4454997718.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:49.007299900 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:49.023694992 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:49.023695946 CET49977445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:49.028652906 CET4454997718.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:49.028667927 CET4454997718.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:49.071336031 CET50212445192.168.2.5138.192.221.107
                                    Jan 15, 2025 17:25:49.076307058 CET44550212138.192.221.107192.168.2.5
                                    Jan 15, 2025 17:25:49.076375961 CET50212445192.168.2.5138.192.221.107
                                    Jan 15, 2025 17:25:49.076435089 CET50212445192.168.2.5138.192.221.107
                                    Jan 15, 2025 17:25:49.077959061 CET50214445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.082165003 CET44550212138.192.221.107192.168.2.5
                                    Jan 15, 2025 17:25:49.082221985 CET50212445192.168.2.5138.192.221.107
                                    Jan 15, 2025 17:25:49.082835913 CET44550214138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:25:49.085876942 CET50214445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.088716030 CET50214445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.088968039 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.094295979 CET44550214138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:25:49.094454050 CET50214445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.095017910 CET44550215138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:25:49.095451117 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.097110987 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:25:49.102313995 CET44550215138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:25:50.014094114 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:50.018903017 CET44550222184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:50.018976927 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:50.018992901 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:25:50.024287939 CET44550222184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:25:50.594038010 CET50226445192.168.2.5201.138.103.114
                                    Jan 15, 2025 17:25:50.598866940 CET44550226201.138.103.114192.168.2.5
                                    Jan 15, 2025 17:25:50.598958969 CET50226445192.168.2.5201.138.103.114
                                    Jan 15, 2025 17:25:50.599056959 CET50226445192.168.2.5201.138.103.114
                                    Jan 15, 2025 17:25:50.599183083 CET50227445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.604005098 CET44550227201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:25:50.604018927 CET44550226201.138.103.114192.168.2.5
                                    Jan 15, 2025 17:25:50.604125977 CET50226445192.168.2.5201.138.103.114
                                    Jan 15, 2025 17:25:50.604221106 CET50227445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.604221106 CET50227445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.604687929 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.609575987 CET44550227201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:25:50.609648943 CET50227445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.609744072 CET44550228201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:25:50.609819889 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.609864950 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:25:50.614819050 CET44550228201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:25:51.022450924 CET44550012193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:51.022641897 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:51.022641897 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:51.022641897 CET50012445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:51.027566910 CET44550012193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:51.027580023 CET44550012193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:52.014333963 CET50238445192.168.2.5182.169.130.153
                                    Jan 15, 2025 17:25:52.021110058 CET44550238182.169.130.153192.168.2.5
                                    Jan 15, 2025 17:25:52.021188974 CET50238445192.168.2.5182.169.130.153
                                    Jan 15, 2025 17:25:52.021255016 CET50238445192.168.2.5182.169.130.153
                                    Jan 15, 2025 17:25:52.021409988 CET50239445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.027798891 CET44550239182.169.130.1192.168.2.5
                                    Jan 15, 2025 17:25:52.027848005 CET44550238182.169.130.153192.168.2.5
                                    Jan 15, 2025 17:25:52.027877092 CET50239445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.027895927 CET50238445192.168.2.5182.169.130.153
                                    Jan 15, 2025 17:25:52.027955055 CET50239445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.028251886 CET50240445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.029723883 CET50241445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:52.032846928 CET44550239182.169.130.1192.168.2.5
                                    Jan 15, 2025 17:25:52.032898903 CET50239445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.033246040 CET44550240182.169.130.1192.168.2.5
                                    Jan 15, 2025 17:25:52.033310890 CET50240445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.033360958 CET50240445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:25:52.034578085 CET4455024118.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:52.034657001 CET50241445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:52.034703016 CET50241445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:25:52.038093090 CET44550240182.169.130.1192.168.2.5
                                    Jan 15, 2025 17:25:52.039705038 CET4455024118.169.197.1192.168.2.5
                                    Jan 15, 2025 17:25:53.037484884 CET4455004736.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:53.037944078 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:53.038033962 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:53.038034916 CET50047445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:53.042857885 CET4455004736.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:53.042870998 CET4455004736.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:53.342732906 CET50251445192.168.2.5150.224.199.101
                                    Jan 15, 2025 17:25:53.347628117 CET44550251150.224.199.101192.168.2.5
                                    Jan 15, 2025 17:25:53.349802971 CET50251445192.168.2.5150.224.199.101
                                    Jan 15, 2025 17:25:53.349865913 CET50251445192.168.2.5150.224.199.101
                                    Jan 15, 2025 17:25:53.350033998 CET50252445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.354835987 CET44550251150.224.199.101192.168.2.5
                                    Jan 15, 2025 17:25:53.354851961 CET44550252150.224.199.1192.168.2.5
                                    Jan 15, 2025 17:25:53.354917049 CET50251445192.168.2.5150.224.199.101
                                    Jan 15, 2025 17:25:53.354945898 CET50252445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.355025053 CET50252445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.355252028 CET50253445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.360053062 CET44550252150.224.199.1192.168.2.5
                                    Jan 15, 2025 17:25:53.360065937 CET44550253150.224.199.1192.168.2.5
                                    Jan 15, 2025 17:25:53.360131025 CET50252445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.360146046 CET50253445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.360601902 CET50253445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:25:53.365360022 CET44550253150.224.199.1192.168.2.5
                                    Jan 15, 2025 17:25:54.029738903 CET50258445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:54.034589052 CET44550258193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:54.034660101 CET50258445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:54.034688950 CET50258445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:25:54.039458990 CET44550258193.174.140.1192.168.2.5
                                    Jan 15, 2025 17:25:54.576705933 CET50264445192.168.2.5157.200.4.162
                                    Jan 15, 2025 17:25:54.581553936 CET44550264157.200.4.162192.168.2.5
                                    Jan 15, 2025 17:25:54.581721067 CET50264445192.168.2.5157.200.4.162
                                    Jan 15, 2025 17:25:54.581762075 CET50264445192.168.2.5157.200.4.162
                                    Jan 15, 2025 17:25:54.581899881 CET50265445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.586772919 CET44550265157.200.4.1192.168.2.5
                                    Jan 15, 2025 17:25:54.586786985 CET44550264157.200.4.162192.168.2.5
                                    Jan 15, 2025 17:25:54.586854935 CET50264445192.168.2.5157.200.4.162
                                    Jan 15, 2025 17:25:54.586941957 CET50265445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.586941957 CET50265445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.587209940 CET50266445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.592001915 CET44550266157.200.4.1192.168.2.5
                                    Jan 15, 2025 17:25:54.592015028 CET44550265157.200.4.1192.168.2.5
                                    Jan 15, 2025 17:25:54.592072964 CET50265445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.592120886 CET50266445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.592120886 CET50266445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:25:54.596873999 CET44550266157.200.4.1192.168.2.5
                                    Jan 15, 2025 17:25:55.119749069 CET44550082142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:55.119868994 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:55.119949102 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:55.119949102 CET50082445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:55.124902964 CET44550082142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:55.124917984 CET44550082142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:55.302791119 CET4455008862.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:55.302968025 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:55.302968025 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:55.303040028 CET50088445192.168.2.562.144.252.1
                                    Jan 15, 2025 17:25:55.308187962 CET4455008862.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:55.308202028 CET4455008862.144.252.1192.168.2.5
                                    Jan 15, 2025 17:25:55.357939005 CET50272445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.362720966 CET4455027262.144.252.2192.168.2.5
                                    Jan 15, 2025 17:25:55.362809896 CET50272445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.362822056 CET50272445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.363095045 CET50273445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.367832899 CET4455027262.144.252.2192.168.2.5
                                    Jan 15, 2025 17:25:55.367887974 CET50272445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.367923021 CET4455027362.144.252.2192.168.2.5
                                    Jan 15, 2025 17:25:55.367995977 CET50273445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.368035078 CET50273445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:25:55.372802973 CET4455027362.144.252.2192.168.2.5
                                    Jan 15, 2025 17:25:55.733521938 CET50276445192.168.2.548.182.203.93
                                    Jan 15, 2025 17:25:55.738440037 CET4455027648.182.203.93192.168.2.5
                                    Jan 15, 2025 17:25:55.738516092 CET50276445192.168.2.548.182.203.93
                                    Jan 15, 2025 17:25:55.738553047 CET50276445192.168.2.548.182.203.93
                                    Jan 15, 2025 17:25:55.738657951 CET50277445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.743424892 CET4455027748.182.203.1192.168.2.5
                                    Jan 15, 2025 17:25:55.743489981 CET50277445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.743508101 CET50277445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.743535042 CET4455027648.182.203.93192.168.2.5
                                    Jan 15, 2025 17:25:55.743633032 CET4455027648.182.203.93192.168.2.5
                                    Jan 15, 2025 17:25:55.743685007 CET50276445192.168.2.548.182.203.93
                                    Jan 15, 2025 17:25:55.743776083 CET50278445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.748572111 CET4455027748.182.203.1192.168.2.5
                                    Jan 15, 2025 17:25:55.748591900 CET4455027848.182.203.1192.168.2.5
                                    Jan 15, 2025 17:25:55.748629093 CET50277445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.748686075 CET50278445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.748686075 CET50278445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:25:55.753530025 CET4455027848.182.203.1192.168.2.5
                                    Jan 15, 2025 17:25:56.045299053 CET50281445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:56.050127029 CET4455028136.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:56.050209045 CET50281445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:56.050239086 CET50281445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:25:56.054985046 CET4455028136.153.240.1192.168.2.5
                                    Jan 15, 2025 17:25:56.811430931 CET50286445192.168.2.547.184.229.206
                                    Jan 15, 2025 17:25:56.816293955 CET4455028647.184.229.206192.168.2.5
                                    Jan 15, 2025 17:25:56.816478968 CET50286445192.168.2.547.184.229.206
                                    Jan 15, 2025 17:25:56.819048882 CET50286445192.168.2.547.184.229.206
                                    Jan 15, 2025 17:25:56.819355965 CET50287445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.823925018 CET4455028647.184.229.206192.168.2.5
                                    Jan 15, 2025 17:25:56.823992968 CET50286445192.168.2.547.184.229.206
                                    Jan 15, 2025 17:25:56.824218988 CET4455028747.184.229.1192.168.2.5
                                    Jan 15, 2025 17:25:56.824286938 CET50287445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.824328899 CET50287445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.824568033 CET50288445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.829266071 CET4455028747.184.229.1192.168.2.5
                                    Jan 15, 2025 17:25:56.829334021 CET4455028847.184.229.1192.168.2.5
                                    Jan 15, 2025 17:25:56.829340935 CET50287445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.829521894 CET50288445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.829521894 CET50288445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:25:56.834290028 CET4455028847.184.229.1192.168.2.5
                                    Jan 15, 2025 17:25:57.053941011 CET44550104136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:57.054018974 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:57.054075003 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:57.054116964 CET50104445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:25:57.058903933 CET44550104136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:57.058917999 CET44550104136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:25:57.275903940 CET4455010538.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:57.276034117 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:57.276114941 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:57.276206017 CET50105445192.168.2.538.200.252.1
                                    Jan 15, 2025 17:25:57.280875921 CET4455010538.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:57.280940056 CET4455010538.200.252.1192.168.2.5
                                    Jan 15, 2025 17:25:57.342364073 CET50293445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.347208977 CET4455029338.200.252.2192.168.2.5
                                    Jan 15, 2025 17:25:57.347393990 CET50293445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.347393990 CET50293445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.347728014 CET50294445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.352494955 CET4455029338.200.252.2192.168.2.5
                                    Jan 15, 2025 17:25:57.352519035 CET4455029438.200.252.2192.168.2.5
                                    Jan 15, 2025 17:25:57.352582932 CET50293445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.352612972 CET50294445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.352648020 CET50294445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:25:57.357388020 CET4455029438.200.252.2192.168.2.5
                                    Jan 15, 2025 17:25:57.827466965 CET50298445192.168.2.5102.226.199.83
                                    Jan 15, 2025 17:25:57.832418919 CET44550298102.226.199.83192.168.2.5
                                    Jan 15, 2025 17:25:57.836074114 CET50298445192.168.2.5102.226.199.83
                                    Jan 15, 2025 17:25:57.839245081 CET50298445192.168.2.5102.226.199.83
                                    Jan 15, 2025 17:25:57.839556932 CET50299445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.844343901 CET44550298102.226.199.83192.168.2.5
                                    Jan 15, 2025 17:25:57.844419003 CET44550299102.226.199.1192.168.2.5
                                    Jan 15, 2025 17:25:57.844568014 CET50298445192.168.2.5102.226.199.83
                                    Jan 15, 2025 17:25:57.844609022 CET50299445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.844674110 CET50299445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.845065117 CET50300445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.849596024 CET44550299102.226.199.1192.168.2.5
                                    Jan 15, 2025 17:25:57.849684954 CET50299445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.849859953 CET44550300102.226.199.1192.168.2.5
                                    Jan 15, 2025 17:25:57.849922895 CET50300445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.849960089 CET50300445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:25:57.854680061 CET44550300102.226.199.1192.168.2.5
                                    Jan 15, 2025 17:25:58.123564959 CET50303445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:58.128479004 CET44550303142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:58.131809950 CET50303445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:58.131855965 CET50303445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:25:58.136616945 CET44550303142.52.100.1192.168.2.5
                                    Jan 15, 2025 17:25:58.764504910 CET50308445192.168.2.5223.186.217.83
                                    Jan 15, 2025 17:25:58.769434929 CET44550308223.186.217.83192.168.2.5
                                    Jan 15, 2025 17:25:58.769524097 CET50308445192.168.2.5223.186.217.83
                                    Jan 15, 2025 17:25:58.769566059 CET50308445192.168.2.5223.186.217.83
                                    Jan 15, 2025 17:25:58.769901991 CET50309445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.774454117 CET44550308223.186.217.83192.168.2.5
                                    Jan 15, 2025 17:25:58.774523020 CET50308445192.168.2.5223.186.217.83
                                    Jan 15, 2025 17:25:58.774725914 CET44550309223.186.217.1192.168.2.5
                                    Jan 15, 2025 17:25:58.774811029 CET50309445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.774904013 CET50309445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.775171995 CET50310445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.779980898 CET44550310223.186.217.1192.168.2.5
                                    Jan 15, 2025 17:25:58.780042887 CET50310445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.780102015 CET50310445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.780319929 CET44550309223.186.217.1192.168.2.5
                                    Jan 15, 2025 17:25:58.780373096 CET50309445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:25:58.784827948 CET44550310223.186.217.1192.168.2.5
                                    Jan 15, 2025 17:25:59.068842888 CET44550119187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:59.068932056 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:59.068973064 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:59.069008112 CET50119445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:25:59.073823929 CET44550119187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:59.073833942 CET44550119187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:25:59.338984013 CET44550124130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:59.339076996 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:59.339169979 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:59.339273930 CET50124445192.168.2.5130.171.163.1
                                    Jan 15, 2025 17:25:59.343900919 CET44550124130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:59.344273090 CET44550124130.171.163.1192.168.2.5
                                    Jan 15, 2025 17:25:59.404963970 CET50316445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.409914970 CET44550316130.171.163.2192.168.2.5
                                    Jan 15, 2025 17:25:59.410013914 CET50316445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.410053968 CET50316445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.410378933 CET50317445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.415512085 CET44550317130.171.163.2192.168.2.5
                                    Jan 15, 2025 17:25:59.415524006 CET44550316130.171.163.2192.168.2.5
                                    Jan 15, 2025 17:25:59.415534019 CET44550316130.171.163.2192.168.2.5
                                    Jan 15, 2025 17:25:59.415584087 CET50317445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.415611982 CET50316445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.415692091 CET50317445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:25:59.421508074 CET44550317130.171.163.2192.168.2.5
                                    Jan 15, 2025 17:25:59.639591932 CET50319445192.168.2.597.96.228.22
                                    Jan 15, 2025 17:25:59.644481897 CET4455031997.96.228.22192.168.2.5
                                    Jan 15, 2025 17:25:59.644694090 CET50319445192.168.2.597.96.228.22
                                    Jan 15, 2025 17:25:59.644694090 CET50319445192.168.2.597.96.228.22
                                    Jan 15, 2025 17:25:59.644879103 CET50320445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.649744034 CET4455032097.96.228.1192.168.2.5
                                    Jan 15, 2025 17:25:59.649754047 CET4455031997.96.228.22192.168.2.5
                                    Jan 15, 2025 17:25:59.649847031 CET50319445192.168.2.597.96.228.22
                                    Jan 15, 2025 17:25:59.649847031 CET50320445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.649941921 CET50320445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.650305033 CET50321445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.654871941 CET4455032097.96.228.1192.168.2.5
                                    Jan 15, 2025 17:25:59.654942989 CET50320445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.655128956 CET4455032197.96.228.1192.168.2.5
                                    Jan 15, 2025 17:25:59.655201912 CET50321445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.655216932 CET50321445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:25:59.659965038 CET4455032197.96.228.1192.168.2.5
                                    Jan 15, 2025 17:26:00.060949087 CET50325445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:26:00.065788031 CET44550325136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:26:00.065871000 CET50325445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:26:00.065908909 CET50325445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:26:00.070769072 CET44550325136.248.250.1192.168.2.5
                                    Jan 15, 2025 17:26:00.474900007 CET50329445192.168.2.5167.103.158.41
                                    Jan 15, 2025 17:26:00.479674101 CET44550329167.103.158.41192.168.2.5
                                    Jan 15, 2025 17:26:00.479757071 CET50329445192.168.2.5167.103.158.41
                                    Jan 15, 2025 17:26:00.479851007 CET50329445192.168.2.5167.103.158.41
                                    Jan 15, 2025 17:26:00.484015942 CET50330445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.484699011 CET44550329167.103.158.41192.168.2.5
                                    Jan 15, 2025 17:26:00.484757900 CET50329445192.168.2.5167.103.158.41
                                    Jan 15, 2025 17:26:00.488903046 CET44550330167.103.158.1192.168.2.5
                                    Jan 15, 2025 17:26:00.488974094 CET50330445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.492630005 CET50330445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.492912054 CET50331445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.497699976 CET44550331167.103.158.1192.168.2.5
                                    Jan 15, 2025 17:26:00.497745037 CET44550330167.103.158.1192.168.2.5
                                    Jan 15, 2025 17:26:00.497780085 CET50331445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.497797012 CET50331445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.497822046 CET50330445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:00.502563953 CET44550331167.103.158.1192.168.2.5
                                    Jan 15, 2025 17:26:01.101093054 CET44550137218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:26:01.101161957 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:01.101186037 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:01.101234913 CET50137445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:01.106036901 CET44550137218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:26:01.106072903 CET44550137218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:26:01.233398914 CET50336445192.168.2.5142.55.51.246
                                    Jan 15, 2025 17:26:01.238543987 CET44550336142.55.51.246192.168.2.5
                                    Jan 15, 2025 17:26:01.238615036 CET50336445192.168.2.5142.55.51.246
                                    Jan 15, 2025 17:26:01.238641977 CET50336445192.168.2.5142.55.51.246
                                    Jan 15, 2025 17:26:01.238769054 CET50337445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.243519068 CET44550336142.55.51.246192.168.2.5
                                    Jan 15, 2025 17:26:01.243647099 CET44550337142.55.51.1192.168.2.5
                                    Jan 15, 2025 17:26:01.243715048 CET50337445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.243766069 CET44550336142.55.51.246192.168.2.5
                                    Jan 15, 2025 17:26:01.243820906 CET50337445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.243823051 CET50336445192.168.2.5142.55.51.246
                                    Jan 15, 2025 17:26:01.244055033 CET50338445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.248933077 CET44550338142.55.51.1192.168.2.5
                                    Jan 15, 2025 17:26:01.249011040 CET50338445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.249053955 CET50338445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.249504089 CET44550337142.55.51.1192.168.2.5
                                    Jan 15, 2025 17:26:01.249654055 CET50337445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:01.253950119 CET44550338142.55.51.1192.168.2.5
                                    Jan 15, 2025 17:26:01.303253889 CET44550139137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:26:01.303349972 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:26:01.303405046 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:26:01.303457022 CET50139445192.168.2.5137.94.76.1
                                    Jan 15, 2025 17:26:01.308229923 CET44550139137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:26:01.308280945 CET44550139137.94.76.1192.168.2.5
                                    Jan 15, 2025 17:26:01.358007908 CET50340445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.362963915 CET44550340137.94.76.2192.168.2.5
                                    Jan 15, 2025 17:26:01.363065004 CET50340445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.363065004 CET50340445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.363337994 CET50341445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.368264914 CET44550341137.94.76.2192.168.2.5
                                    Jan 15, 2025 17:26:01.368295908 CET44550340137.94.76.2192.168.2.5
                                    Jan 15, 2025 17:26:01.368340969 CET50341445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.368360043 CET50340445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.368402958 CET50341445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:01.373192072 CET44550341137.94.76.2192.168.2.5
                                    Jan 15, 2025 17:26:02.076668978 CET50347445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:26:02.081496000 CET44550347187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:26:02.081566095 CET50347445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:26:02.081588030 CET50347445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:26:02.086375952 CET44550347187.253.170.1192.168.2.5
                                    Jan 15, 2025 17:26:03.152555943 CET44550152116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:26:03.152637005 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:03.154584885 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:03.154630899 CET50152445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:03.159410954 CET44550152116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:26:03.159424067 CET44550152116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:26:03.334682941 CET44550156149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:26:03.338263988 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:26:03.354008913 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:26:03.354089022 CET50156445192.168.2.5149.18.183.1
                                    Jan 15, 2025 17:26:03.358921051 CET44550156149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:26:03.358952045 CET44550156149.18.183.1192.168.2.5
                                    Jan 15, 2025 17:26:03.430201054 CET50360445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.435120106 CET44550360149.18.183.2192.168.2.5
                                    Jan 15, 2025 17:26:03.435995102 CET50360445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.436093092 CET50360445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.439569950 CET50362445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.441157103 CET44550360149.18.183.2192.168.2.5
                                    Jan 15, 2025 17:26:03.441262960 CET50360445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.444394112 CET44550362149.18.183.2192.168.2.5
                                    Jan 15, 2025 17:26:03.444500923 CET50362445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.444529057 CET50362445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:03.449419022 CET44550362149.18.183.2192.168.2.5
                                    Jan 15, 2025 17:26:04.107978106 CET50367445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:04.112828970 CET44550367218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:26:04.112910986 CET50367445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:04.112934113 CET50367445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:04.117702007 CET44550367218.101.231.1192.168.2.5
                                    Jan 15, 2025 17:26:05.166414022 CET4455017089.148.186.1192.168.2.5
                                    Jan 15, 2025 17:26:05.166488886 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:05.166548014 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:05.166599989 CET50170445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:05.171318054 CET4455017089.148.186.1192.168.2.5
                                    Jan 15, 2025 17:26:05.171334982 CET4455017089.148.186.1192.168.2.5
                                    Jan 15, 2025 17:26:05.334569931 CET44550172171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:26:05.334856033 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:26:05.334856033 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:26:05.334891081 CET50172445192.168.2.5171.68.51.1
                                    Jan 15, 2025 17:26:05.339706898 CET44550172171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:26:05.339715004 CET44550172171.68.51.1192.168.2.5
                                    Jan 15, 2025 17:26:05.419467926 CET50375445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.424330950 CET44550375171.68.51.2192.168.2.5
                                    Jan 15, 2025 17:26:05.425961018 CET50375445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.426033974 CET50375445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.426286936 CET50377445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.431025982 CET44550375171.68.51.2192.168.2.5
                                    Jan 15, 2025 17:26:05.431097031 CET44550377171.68.51.2192.168.2.5
                                    Jan 15, 2025 17:26:05.431164026 CET50375445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.431176901 CET50377445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.431221962 CET50377445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:05.436005116 CET44550377171.68.51.2192.168.2.5
                                    Jan 15, 2025 17:26:06.170350075 CET50384445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:06.175326109 CET44550384116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:26:06.175404072 CET50384445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:06.175431013 CET50384445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:06.180161953 CET44550384116.10.21.1192.168.2.5
                                    Jan 15, 2025 17:26:07.010853052 CET44550185148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:26:07.014149904 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:07.014235020 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:07.014298916 CET50185445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:07.019026041 CET44550185148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:26:07.019052029 CET44550185148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:26:07.371414900 CET4455018916.176.209.1192.168.2.5
                                    Jan 15, 2025 17:26:07.371490955 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:26:07.371524096 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:26:07.371550083 CET50189445192.168.2.516.176.209.1
                                    Jan 15, 2025 17:26:07.376346111 CET4455018916.176.209.1192.168.2.5
                                    Jan 15, 2025 17:26:07.376380920 CET4455018916.176.209.1192.168.2.5
                                    Jan 15, 2025 17:26:07.435934067 CET50398445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.440874100 CET4455039816.176.209.2192.168.2.5
                                    Jan 15, 2025 17:26:07.440943956 CET50398445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.440968037 CET50398445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.441205978 CET50399445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.446075916 CET4455039916.176.209.2192.168.2.5
                                    Jan 15, 2025 17:26:07.446171999 CET50399445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.446171999 CET50399445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.447108030 CET4455039816.176.209.2192.168.2.5
                                    Jan 15, 2025 17:26:07.447163105 CET50398445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:07.451034069 CET4455039916.176.209.2192.168.2.5
                                    Jan 15, 2025 17:26:08.174349070 CET50409445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:08.179500103 CET4455040989.148.186.1192.168.2.5
                                    Jan 15, 2025 17:26:08.179591894 CET50409445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:08.179605007 CET50409445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:08.184536934 CET4455040989.148.186.1192.168.2.5
                                    Jan 15, 2025 17:26:08.757358074 CET44550200222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:26:08.757447958 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:08.757510900 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:08.757538080 CET50200445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:08.762527943 CET44550200222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:26:08.762541056 CET44550200222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:26:09.350322962 CET4455020496.217.134.1192.168.2.5
                                    Jan 15, 2025 17:26:09.350534916 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:26:09.350534916 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:26:09.350534916 CET50204445192.168.2.596.217.134.1
                                    Jan 15, 2025 17:26:09.355639935 CET4455020496.217.134.1192.168.2.5
                                    Jan 15, 2025 17:26:09.355669022 CET4455020496.217.134.1192.168.2.5
                                    Jan 15, 2025 17:26:09.404798985 CET50431445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.410016060 CET4455043196.217.134.2192.168.2.5
                                    Jan 15, 2025 17:26:09.410119057 CET50431445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.410420895 CET50431445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.410438061 CET50433445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.415338039 CET4455043196.217.134.2192.168.2.5
                                    Jan 15, 2025 17:26:09.415405989 CET50431445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.415525913 CET4455043396.217.134.2192.168.2.5
                                    Jan 15, 2025 17:26:09.415616035 CET50433445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.415616035 CET50433445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:09.420583010 CET4455043396.217.134.2192.168.2.5
                                    Jan 15, 2025 17:26:10.029736996 CET50446445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:10.034981012 CET44550446148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:26:10.035177946 CET50446445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:10.035233974 CET50446445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:10.040186882 CET44550446148.208.193.1192.168.2.5
                                    Jan 15, 2025 17:26:10.477480888 CET44550215138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:26:10.477638960 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:26:10.477740049 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:26:10.477741003 CET50215445192.168.2.5138.192.221.1
                                    Jan 15, 2025 17:26:10.482702971 CET44550215138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:26:10.482734919 CET44550215138.192.221.1192.168.2.5
                                    Jan 15, 2025 17:26:11.381761074 CET44550222184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:26:11.381882906 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:26:11.383358002 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:26:11.383402109 CET50222445192.168.2.5184.229.205.1
                                    Jan 15, 2025 17:26:11.388257027 CET44550222184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:26:11.388269901 CET44550222184.229.205.1192.168.2.5
                                    Jan 15, 2025 17:26:11.438275099 CET50487445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.443574905 CET44550487184.229.205.2192.168.2.5
                                    Jan 15, 2025 17:26:11.443763971 CET50487445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.444184065 CET50487445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.444197893 CET50488445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.449237108 CET44550488184.229.205.2192.168.2.5
                                    Jan 15, 2025 17:26:11.449345112 CET50488445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.449611902 CET50488445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.449779987 CET44550487184.229.205.2192.168.2.5
                                    Jan 15, 2025 17:26:11.449851990 CET50487445192.168.2.5184.229.205.2
                                    Jan 15, 2025 17:26:11.454731941 CET44550488184.229.205.2192.168.2.5
                                    Jan 15, 2025 17:26:11.765078068 CET50501445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:11.770318985 CET44550501222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:26:11.770461082 CET50501445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:11.770461082 CET50501445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:11.775510073 CET44550501222.71.154.1192.168.2.5
                                    Jan 15, 2025 17:26:12.009162903 CET44550228201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:26:12.009247065 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:26:12.009325027 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:26:12.009377956 CET50228445192.168.2.5201.138.103.1
                                    Jan 15, 2025 17:26:12.014189959 CET44550228201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:26:12.014199018 CET44550228201.138.103.1192.168.2.5
                                    Jan 15, 2025 17:26:13.399223089 CET4455024118.169.197.1192.168.2.5
                                    Jan 15, 2025 17:26:13.399306059 CET50241445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:26:13.448465109 CET44550240182.169.130.1192.168.2.5
                                    Jan 15, 2025 17:26:13.450916052 CET50240445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:26:14.286420107 CET50273445192.168.2.562.144.252.2
                                    Jan 15, 2025 17:26:14.286505938 CET50362445192.168.2.5149.18.183.2
                                    Jan 15, 2025 17:26:14.286540031 CET50341445192.168.2.5137.94.76.2
                                    Jan 15, 2025 17:26:14.286547899 CET50317445192.168.2.5130.171.163.2
                                    Jan 15, 2025 17:26:14.286596060 CET50377445192.168.2.5171.68.51.2
                                    Jan 15, 2025 17:26:14.286673069 CET50241445192.168.2.518.169.197.1
                                    Jan 15, 2025 17:26:14.286699057 CET50253445192.168.2.5150.224.199.1
                                    Jan 15, 2025 17:26:14.286750078 CET50258445192.168.2.5193.174.140.1
                                    Jan 15, 2025 17:26:14.286756039 CET50240445192.168.2.5182.169.130.1
                                    Jan 15, 2025 17:26:14.286782026 CET50266445192.168.2.5157.200.4.1
                                    Jan 15, 2025 17:26:14.286812067 CET50278445192.168.2.548.182.203.1
                                    Jan 15, 2025 17:26:14.286839008 CET50281445192.168.2.536.153.240.1
                                    Jan 15, 2025 17:26:14.286854982 CET50288445192.168.2.547.184.229.1
                                    Jan 15, 2025 17:26:14.286876917 CET50294445192.168.2.538.200.252.2
                                    Jan 15, 2025 17:26:14.286902905 CET50300445192.168.2.5102.226.199.1
                                    Jan 15, 2025 17:26:14.286927938 CET50303445192.168.2.5142.52.100.1
                                    Jan 15, 2025 17:26:14.286959887 CET50310445192.168.2.5223.186.217.1
                                    Jan 15, 2025 17:26:14.286992073 CET50321445192.168.2.597.96.228.1
                                    Jan 15, 2025 17:26:14.286997080 CET50325445192.168.2.5136.248.250.1
                                    Jan 15, 2025 17:26:14.287024021 CET50331445192.168.2.5167.103.158.1
                                    Jan 15, 2025 17:26:14.287054062 CET50338445192.168.2.5142.55.51.1
                                    Jan 15, 2025 17:26:14.287071943 CET50347445192.168.2.5187.253.170.1
                                    Jan 15, 2025 17:26:14.287105083 CET50367445192.168.2.5218.101.231.1
                                    Jan 15, 2025 17:26:14.287131071 CET50384445192.168.2.5116.10.21.1
                                    Jan 15, 2025 17:26:14.287144899 CET50409445192.168.2.589.148.186.1
                                    Jan 15, 2025 17:26:14.287184000 CET50399445192.168.2.516.176.209.2
                                    Jan 15, 2025 17:26:14.287216902 CET50433445192.168.2.596.217.134.2
                                    Jan 15, 2025 17:26:14.287260056 CET50446445192.168.2.5148.208.193.1
                                    Jan 15, 2025 17:26:14.287338972 CET50501445192.168.2.5222.71.154.1
                                    Jan 15, 2025 17:26:14.287379980 CET50488445192.168.2.5184.229.205.2

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 15, 2025 17:25:06.342878103 CET5106353192.168.2.51.1.1.1
                                    Jan 15, 2025 17:25:06.651994944 CET53510631.1.1.1192.168.2.5
                                    Jan 15, 2025 17:25:07.291615963 CET5023153192.168.2.51.1.1.1
                                    Jan 15, 2025 17:25:07.622163057 CET53502311.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 15, 2025 17:25:06.342878103 CET192.168.2.51.1.1.10x3705Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false
                                    Jan 15, 2025 17:25:07.291615963 CET192.168.2.51.1.1.10xb582Standard query (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 15, 2025 17:25:06.651994944 CET1.1.1.1192.168.2.50x3705No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com103.224.212.215A (IP address)IN (0x0001)false
                                    Jan 15, 2025 17:25:07.622163057 CET1.1.1.1192.168.2.50xb582No error (0)ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com77026.bodis.comCNAME (Canonical name)IN (0x0001)false
                                    Jan 15, 2025 17:25:07.622163057 CET1.1.1.1192.168.2.50xb582No error (0)77026.bodis.com199.59.243.228A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704103.224.212.215805728C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:06.663515091 CET100OUTGET / HTTP/1.1
                                    Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Cache-Control: no-cache
                                    Jan 15, 2025 17:25:07.280993938 CET365INHTTP/1.1 302 Found
                                    date: Wed, 15 Jan 2025 16:25:07 GMT
                                    server: Apache
                                    set-cookie: __tad=1736958307.7566444; expires=Sat, 13-Jan-2035 16:25:07 GMT; Max-Age=315360000
                                    location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-07ad-ad4a-bba6e83174ed
                                    content-length: 2
                                    content-type: text/html; charset=UTF-8
                                    connection: close
                                    Data Raw: 0a 0a
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.549705199.59.243.228805728C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:07.628016949 CET169OUTGET /?subid1=20250116-0325-07ad-ad4a-bba6e83174ed HTTP/1.1
                                    Cache-Control: no-cache
                                    Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Connection: Keep-Alive
                                    Jan 15, 2025 17:25:08.092154026 CET1236INHTTP/1.1 200 OK
                                    date: Wed, 15 Jan 2025 16:25:07 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 1262
                                    x-request-id: 0a70b268-8399-43f9-ab15-5dcb859153dc
                                    cache-control: no-store, max-age=0
                                    accept-ch: sec-ch-prefers-color-scheme
                                    critical-ch: sec-ch-prefers-color-scheme
                                    vary: sec-ch-prefers-color-scheme
                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yL/TuFBFF1U2/HN9OOdcmblqvGsvFexwZ0JMuc2utmcv0DmhjZxhGWlJRBwD4UZ1YS4ACBOTRc6IdHLpgIZ2/Q==
                                    set-cookie: parking_session=0a70b268-8399-43f9-ab15-5dcb859153dc; expires=Wed, 15 Jan 2025 16:40:08 GMT; path=/
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 4c 2f 54 75 46 42 46 46 31 55 32 2f 48 4e 39 4f 4f 64 63 6d 62 6c 71 76 47 73 76 46 65 78 77 5a 30 4a 4d 75 63 32 75 74 6d 63 76 30 44 6d 68 6a 5a 78 68 47 57 6c 4a 52 42 77 44 34 55 5a 31 59 53 34 41 43 42 4f 54 52 63 36 49 64 48 4c 70 67 49 5a 32 2f 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yL/TuFBFF1U2/HN9OOdcmblqvGsvFexwZ0JMuc2utmcv0DmhjZxhGWlJRBwD4UZ1YS4ACBOTRc6IdHLpgIZ2/Q==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                    Jan 15, 2025 17:25:08.092201948 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                    Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGE3MGIyNjgtODM5OS00M2Y5LWFiMTUtNWRjYjg1OTE1M2RjIiwicGFnZV90aW1lIjoxNzM2OTU4MzA4LCJwYWdlX3VybCI6I


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.549706103.224.212.215806048C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:08.354192019 CET100OUTGET / HTTP/1.1
                                    Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Cache-Control: no-cache
                                    Jan 15, 2025 17:25:08.974560976 CET365INHTTP/1.1 302 Found
                                    date: Wed, 15 Jan 2025 16:25:08 GMT
                                    server: Apache
                                    set-cookie: __tad=1736958308.3030782; expires=Sat, 13-Jan-2035 16:25:08 GMT; Max-Age=315360000
                                    location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-0823-9d83-9e2f87dfdc03
                                    content-length: 2
                                    content-type: text/html; charset=UTF-8
                                    connection: close
                                    Data Raw: 0a 0a
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.549707199.59.243.228806048C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:08.987662077 CET169OUTGET /?subid1=20250116-0325-0823-9d83-9e2f87dfdc03 HTTP/1.1
                                    Cache-Control: no-cache
                                    Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Connection: Keep-Alive
                                    Jan 15, 2025 17:25:09.453062057 CET1236INHTTP/1.1 200 OK
                                    date: Wed, 15 Jan 2025 16:25:08 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 1262
                                    x-request-id: 8f2d3fd9-14ce-4b26-a299-a43cb09761a4
                                    cache-control: no-store, max-age=0
                                    accept-ch: sec-ch-prefers-color-scheme
                                    critical-ch: sec-ch-prefers-color-scheme
                                    vary: sec-ch-prefers-color-scheme
                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YxlWqvge9kl18XZXbNC17r0dURqrE+XZhNu6OKWlSBht/06aCaiz3156KiCzBIT7LKcTN5AZlTavzsmvIJzEmg==
                                    set-cookie: parking_session=8f2d3fd9-14ce-4b26-a299-a43cb09761a4; expires=Wed, 15 Jan 2025 16:40:09 GMT; path=/
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 78 6c 57 71 76 67 65 39 6b 6c 31 38 58 5a 58 62 4e 43 31 37 72 30 64 55 52 71 72 45 2b 58 5a 68 4e 75 36 4f 4b 57 6c 53 42 68 74 2f 30 36 61 43 61 69 7a 33 31 35 36 4b 69 43 7a 42 49 54 37 4c 4b 63 54 4e 35 41 5a 6c 54 61 76 7a 73 6d 76 49 4a 7a 45 6d 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YxlWqvge9kl18XZXbNC17r0dURqrE+XZhNu6OKWlSBht/06aCaiz3156KiCzBIT7LKcTN5AZlTavzsmvIJzEmg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                    Jan 15, 2025 17:25:09.453125000 CET696INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                    Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGYyZDNmZDktMTRjZS00YjI2LWEyOTktYTQzY2IwOTc2MWE0IiwicGFnZV90aW1lIjoxNzM2OTU4MzA5LCJwYWdlX3VybCI6I


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.549708103.224.212.215805632C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:09.223841906 CET134OUTGET / HTTP/1.1
                                    Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Cache-Control: no-cache
                                    Cookie: __tad=1736958307.7566444
                                    Jan 15, 2025 17:25:09.864445925 CET269INHTTP/1.1 302 Found
                                    date: Wed, 15 Jan 2025 16:25:09 GMT
                                    server: Apache
                                    location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0325-093d-a7ca-255010b2f70f
                                    content-length: 2
                                    content-type: text/html; charset=UTF-8
                                    connection: close
                                    Data Raw: 0a 0a
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.549720199.59.243.228805632C:\Windows\mssecsvr.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 15, 2025 17:25:09.872867107 CET231OUTGET /?subid1=20250116-0325-093d-a7ca-255010b2f70f HTTP/1.1
                                    Cache-Control: no-cache
                                    Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                    Connection: Keep-Alive
                                    Cookie: parking_session=0a70b268-8399-43f9-ab15-5dcb859153dc
                                    Jan 15, 2025 17:25:10.342937946 CET1236INHTTP/1.1 200 OK
                                    date: Wed, 15 Jan 2025 16:25:10 GMT
                                    content-type: text/html; charset=utf-8
                                    content-length: 1262
                                    x-request-id: e0530c6a-a164-440d-9a97-235252d1bd8b
                                    cache-control: no-store, max-age=0
                                    accept-ch: sec-ch-prefers-color-scheme
                                    critical-ch: sec-ch-prefers-color-scheme
                                    vary: sec-ch-prefers-color-scheme
                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vUiqm8D1vKWLl138oImBP/Ij3xcnwUIJLcuECcximUXz9tpQxbFMck+14+mEhHxIMakYqoSlyzuY2xSrpgPLuQ==
                                    set-cookie: parking_session=0a70b268-8399-43f9-ab15-5dcb859153dc; expires=Wed, 15 Jan 2025 16:40:10 GMT
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 55 69 71 6d 38 44 31 76 4b 57 4c 6c 31 33 38 6f 49 6d 42 50 2f 49 6a 33 78 63 6e 77 55 49 4a 4c 63 75 45 43 63 78 69 6d 55 58 7a 39 74 70 51 78 62 46 4d 63 6b 2b 31 34 2b 6d 45 68 48 78 49 4d 61 6b 59 71 6f 53 6c 79 7a 75 59 32 78 53 72 70 67 50 4c 75 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vUiqm8D1vKWLl138oImBP/Ij3xcnwUIJLcuECcximUXz9tpQxbFMck+14+mEhHxIMakYqoSlyzuY2xSrpgPLuQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect
                                    Jan 15, 2025 17:25:10.342984915 CET688INData Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65
                                    Data Ascii: " href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGE3MGIyNjgtODM5OS00M2Y5LWFiMTUtNWRjYjg1OTE1M2RjIiwicGFnZV90aW1lIjoxNzM2OTU4MzEwLCJwYWdlX3VybCI6Imh0dHA6L


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll"
                                    Imagebase:0xce0000
                                    File size:126'464 bytes
                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1
                                    Imagebase:0x790000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\Gn8CvJE07O.dll,PlayGame
                                    Imagebase:0xf20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",#1
                                    Imagebase:0xf20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:25:05
                                    Start date:15/01/2025
                                    Path:C:\Windows\mssecsvr.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\WINDOWS\mssecsvr.exe
                                    Imagebase:0x400000
                                    File size:2'281'472 bytes
                                    MD5 hash:121CCF162E02BDBEF5B5CD056933F4D3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2070776364.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2070885182.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2070885182.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:11:25:07
                                    Start date:15/01/2025
                                    Path:C:\Windows\mssecsvr.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\WINDOWS\mssecsvr.exe -m security
                                    Imagebase:0x400000
                                    File size:2'281'472 bytes
                                    MD5 hash:121CCF162E02BDBEF5B5CD056933F4D3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2091006153.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2742720446.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2742720446.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2091118201.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2091118201.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2742964021.0000000002287000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2742964021.0000000002287000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:11:25:08
                                    Start date:15/01/2025
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\Gn8CvJE07O.dll",PlayGame
                                    Imagebase:0xf20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:11:25:08
                                    Start date:15/01/2025
                                    Path:C:\Windows\mssecsvr.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\WINDOWS\mssecsvr.exe
                                    Imagebase:0x400000
                                    File size:2'281'472 bytes
                                    MD5 hash:121CCF162E02BDBEF5B5CD056933F4D3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2112704011.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2099567193.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.2112821535.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2112821535.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.2099679615.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2099679615.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:71.7%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:63.2%
                                      Total number of Nodes:38
                                      Total number of Limit Nodes:9
                                      execution_graph 63 409a16 __set_app_type __p__fmode __p__commode 64 409a85 63->64 65 409a99 64->65 66 409a8d __setusermatherr 64->66 75 409b8c _controlfp 65->75 66->65 68 409a9e _initterm __getmainargs _initterm 69 409af2 GetStartupInfoA 68->69 71 409b26 GetModuleHandleA 69->71 76 408140 InternetOpenA InternetOpenUrlA 71->76 75->68 77 4081a7 InternetCloseHandle InternetCloseHandle 76->77 80 408090 GetModuleFileNameA __p___argc 77->80 79 4081b2 exit _XcptFilter 81 4080b0 80->81 82 4080b9 OpenSCManagerA 80->82 91 407f20 81->91 83 408101 StartServiceCtrlDispatcherA 82->83 84 4080cf OpenServiceA 82->84 83->79 86 4080fc CloseServiceHandle 84->86 87 4080ee 84->87 86->83 96 407fa0 ChangeServiceConfig2A 87->96 90 4080f6 CloseServiceHandle 90->86 108 407c40 sprintf OpenSCManagerA 91->108 93 407f25 97 407ce0 GetModuleHandleW 93->97 96->90 98 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 97->98 99 407f08 97->99 98->99 100 407d49 98->100 99->79 100->99 101 407d69 FindResourceA 100->101 101->99 102 407d84 LoadResource 101->102 102->99 103 407d94 LockResource 102->103 103->99 104 407da7 SizeofResource 103->104 104->99 105 407db9 sprintf sprintf MoveFileExA CreateFileA 104->105 105->99 106 407e54 WriteFile CloseHandle CreateProcessA 105->106 106->99 107 407ef2 CloseHandle CloseHandle 106->107 107->99 109 407c74 CreateServiceA 108->109 110 407cca 108->110 111 407cbb CloseServiceHandle 109->111 112 407cad StartServiceA CloseServiceHandle 109->112 110->93 111->93 112->111

                                      Callgraph

                                      Executed Functions

                                      Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175libraryloaderfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
                                      • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                      • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                      • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                      • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                      • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                      • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                      • sprintf.MSVCRT ref: 00407E01
                                      • sprintf.MSVCRT ref: 00407E18
                                      • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
                                      • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
                                      • CloseHandle.KERNELBASE(00000000), ref: 00407E68
                                      • CreateProcessA.KERNELBASE ref: 00407EE8
                                      • CloseHandle.KERNEL32(00000000), ref: 00407EF7
                                      • CloseHandle.KERNEL32(08000000), ref: 00407F02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2103895971.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.2103861781.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103918904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104027463.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
                                      • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                      • API String ID: 4281112323-1507730452
                                      • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                      • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                      • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                      • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                      Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2103895971.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.2103861781.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103918904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104027463.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                      • String ID:
                                      • API String ID: 801014965-0
                                      • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                      • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                      • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                      • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                      Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                      • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                      • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                        • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                        • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                      Strings
                                      • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2103895971.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.2103861781.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103918904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104027463.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                      • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                      • API String ID: 774561529-2614457033
                                      • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                      • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                      • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                      • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                      Non-executed Functions

                                      Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • sprintf.MSVCRT ref: 00407C56
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                      • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2103895971.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.2103861781.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103918904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104027463.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                      • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                      • API String ID: 3340711343-2450984573
                                      • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                      • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                      • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                      • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                      Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                      • __p___argc.MSVCRT ref: 004080A5
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                      • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                      • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2103895971.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.2103861781.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103918904.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2103940751.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104027463.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.2104232680.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                      • String ID: mssecsvc2.1
                                      • API String ID: 4274534310-2839763450
                                      • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                      • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                      • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                      • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

                                      Execution Graph

                                      Execution Coverage:34.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:36
                                      Total number of Limit Nodes:2

                                      Callgraph

                                      Executed Functions

                                      Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                      • __p___argc.MSVCRT ref: 004080A5
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                      • OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                      • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2741527207.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.2741511086.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741546097.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741656736.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741672295.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                      • String ID: mssecsvc2.1
                                      • API String ID: 4274534310-2839763450
                                      • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                      • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                      • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                      • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF
                                      Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                      • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                      • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                        • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                        • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                      Strings
                                      • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2741527207.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.2741511086.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741546097.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741656736.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741672295.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
                                      • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                      • API String ID: 774561529-2614457033
                                      • Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                      • Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
                                      • Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
                                      • Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

                                      Non-executed Functions

                                      Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • sprintf.MSVCRT ref: 00407C56
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                      • CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2741527207.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.2741511086.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741546097.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741656736.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741672295.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                      • String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
                                      • API String ID: 3340711343-2450984573
                                      • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                      • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                      • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                      • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                      Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 15 407ce0-407cfb GetModuleHandleW 16 407d01-407d43 GetProcAddress * 4 15->16 17 407f08-407f14 15->17 16->17 18 407d49-407d4f 16->18 18->17 19 407d55-407d5b 18->19 19->17 20 407d61-407d63 19->20 20->17 21 407d69-407d7e FindResourceA 20->21 21->17 22 407d84-407d8e LoadResource 21->22 22->17 23 407d94-407da1 LockResource 22->23 23->17 24 407da7-407db3 SizeofResource 23->24 24->17 25 407db9-407e4e sprintf * 2 MoveFileExA 24->25 25->17 27 407e54-407ef0 25->27 27->17 31 407ef2-407f01 27->31 31->17
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
                                      • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                      • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                      • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                      • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                      • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                      • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                      • sprintf.MSVCRT ref: 00407E01
                                      • sprintf.MSVCRT ref: 00407E18
                                      • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2741527207.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.2741511086.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741546097.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741656736.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741672295.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
                                      • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                      • API String ID: 4072214828-1507730452
                                      • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                      • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                      • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                      • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                      Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2741527207.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.2741511086.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741546097.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741561453.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741600486.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741656736.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741672295.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000007.00000002.2741838524.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_mssecsvr.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                      • String ID:
                                      • API String ID: 801014965-0
                                      • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                      • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                      • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                      • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59