Edit tour

Windows Analysis Report
Vb1S2HJcnN.dll

Overview

General Information

Sample name:	Vb1S2HJcnN.dll renamed because original name is a hash value
Original sample name:	bd61c244153364c6322a4bc9337d15dcf9c3bf00.dll
Analysis ID:	1558403
MD5:	8b46c170f7f8a38a8f69fa4bc2b53d61
SHA1:	bd61c244153364c6322a4bc9337d15dcf9c3bf00
SHA256:	27f8d7bbfe91b1ef754a445fbccc24c9da11695ca63c44a33fa12a1df338b76f
Tags:	dlluser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

PE file has a writeable .text section

Queries disk data (e.g. SMART data)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to communicate with device drivers

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7260 cmdline: loaddll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7312 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7336 cmdline: rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7372 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7424 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7320 cmdline: rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7512 cmdline: rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7540 cmdline: rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7700 cmdline: rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7740 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7832 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7708 cmdline: rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7716 cmdline: rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3512 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 3168 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6660 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7292 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7776 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7700 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Vb1S2HJcnN.dll	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x3b77e:$x1: cracked by ximo 0x3b838:$x1: cracked by ximo 0x3b8f2:$x1: cracked by ximo 0x3b9ac:$x1: cracked by ximo 0x3ba66:$x1: cracked by ximo 0x3bb20:$x1: cracked by ximo 0x3bbda:$x1: cracked by ximo 0x3bc94:$x1: cracked by ximo 0x402d6:$x1: cracked by ximo 0x43d1b:$x1: cracked by ximo

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x3b77e:$x1: cracked by ximo 0x3b838:$x1: cracked by ximo 0x3b8f2:$x1: cracked by ximo 0x3b9ac:$x1: cracked by ximo 0x3ba66:$x1: cracked by ximo 0x3bb20:$x1: cracked by ximo 0x3bbda:$x1: cracked by ximo 0x3bc94:$x1: cracked by ximo 0x402d6:$x1: cracked by ximo 0x43d1b:$x1: cracked by ximo
9.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x3b77e:$x1: cracked by ximo 0x3b838:$x1: cracked by ximo 0x3b8f2:$x1: cracked by ximo 0x3b9ac:$x1: cracked by ximo 0x3ba66:$x1: cracked by ximo 0x3bb20:$x1: cracked by ximo 0x3bbda:$x1: cracked by ximo 0x3bc94:$x1: cracked by ximo 0x402d6:$x1: cracked by ximo 0x43d1b:$x1: cracked by ximo
15.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x3b77e:$x1: cracked by ximo 0x3b838:$x1: cracked by ximo 0x3b8f2:$x1: cracked by ximo 0x3b9ac:$x1: cracked by ximo 0x3ba66:$x1: cracked by ximo 0x3bb20:$x1: cracked by ximo 0x3bbda:$x1: cracked by ximo 0x3bc94:$x1: cracked by ximo 0x402d6:$x1: cracked by ximo 0x43d1b:$x1: cracked by ximo

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtfd

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Vb1S2HJcnN.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: Vb1S2HJcnN.dll

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Vb1S2HJcnN.dll

Joe Sandbox ML: detected

Source: Vb1S2HJcnN.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.,G source: rundll32.exe, 00000003.00000003.3819763452.00000000030A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XE~1INetsettntkrnlmp.pdb source: rundll32.exe, 00000003.00000003.3819763452.0000000003060000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.[g/D source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.*Ja\F source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,

3_2_10007F3E

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.160.131.253 18659	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.160.131.254 23588	Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Source: global traffic	TCP traffic: 107.160.131.253 ports 1,5,6,8,9,18659

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 107.163.56.110:18530
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 107.160.131.253:18659
Source: global traffic	TCP traffic: 192.168.2.4:49764 -> 107.160.131.254:23588

Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: AS40676US AS40676US
Source: Joe Sandbox View	ASN Name: AS40676US AS40676US

Source: global traffic

TCP traffic: 192.168.2.4:49790 -> 202.108.0.52:80

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknown	TCP traffic detected without corresponding DNS query: 107.160.131.254

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003F41 InternetReadFile,

3_2_10003F41

Source: global traffic	DNS traffic detected: DNS query: host123.zz.am
Source: global traffic	DNS traffic detected: DNS query: blog.sina.com.cn

Source: rundll32.exe, rundll32.exe, 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3051247387.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014509182.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	String found in binary or memory: http://107.160.131.253:18659/
Source: rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.000000000303C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.253:18659//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmtaWndm
Source: rundll32.exe, 00000003.00000002.4158353206.0000000000B0B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.253:8659//joy.asp?sid=run
Source: rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3051247387.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014509182.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	String found in binary or memory: http://107.160.131.254:23588/article.php
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.php$a
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.php.
Source: rundll32.exe, 00000003.00000002.4158555194.000000000304E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.php3/
Source: rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.php79
Source: rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.php8f
Source: rundll32.exe, 00000003.00000002.4160815097.0000000005BED000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4161007369.0000000005E0A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpC:
Source: rundll32.exe, 00000003.00000002.4160815097.0000000005BED000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpD
Source: rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpGe
Source: rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpIe
Source: rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpUe8E
Source: rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpX
Source: rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpdeIE
Source: rundll32.exe, 00000003.00000003.3819763452.0000000003060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpindows
Source: rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpk
Source: rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.00000000030A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpme
Source: rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926096483.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.160.131.254:23588/article.phpreWE
Source: rundll32.exe, 00000003.00000002.4160751686.0000000005B6D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.160.13I
Source: rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.htmlH
Source: rundll32.exe, 00000003.00000002.4159289964.0000000004D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093#V
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/57624790935V
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093V
Source: rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093eV
Source: rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093oV
Source: rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093wV
Source: rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093z6
Source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ziV
Source: rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093zoV
Source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093zwV
Source: rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093zz
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3051316180.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014701747.000000001003D000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	String found in binary or memory: http://www.rsac.org/ratingsv01.html

System Summary

Malicious sample detected (through community Yara rule)

Source: Vb1S2HJcnN.dll, type: SAMPLE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth

PE file has a writeable .text section

Source: Vb1S2HJcnN.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10008AAD: DeviceIoControl,

3_2_10008AAD

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003F63 ExitWindowsEx,

3_2_10003F63

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B224	3_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B70D	3_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100121ED	3_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AEC0	3_2_1000AEC0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 10001000 appears 305 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 676

Source: Vb1S2HJcnN.dll

Binary or memory string: OriginalFilenamejscript.dllL vs Vb1S2HJcnN.dll

Source: Vb1S2HJcnN.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: Vb1S2HJcnN.dll, type: SAMPLE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Vb1S2HJcnN.dll

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winDLL@42/10@49/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1000404F AdjustTokenPrivileges,

3_2_1000404F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003FB7 CreateToolhelp32Snapshot,

3_2_10003FB7

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\12010043

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\host123.zz.am:6658
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7540
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mhost123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c58b50b8-c5e7-4c01-bba8-4d0b9a13af14

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,DoAddToFavDlg

Source: Vb1S2HJcnN.dll

ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,DoAddToFavDlg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 676
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 668
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,DoAddToFavDlg	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,PrintFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",PrintFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.,G source: rundll32.exe, 00000003.00000003.3819763452.00000000030A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XE~1INetsettntkrnlmp.pdb source: rundll32.exe, 00000003.00000003.3819763452.0000000003060000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.[g/D source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.*Ja\F source: rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003900A push dword ptr [esp+4Ch]; retn 0050h	3_2_1003901C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027023 push dword ptr [esp+18h]; retn 001Ch	3_2_1002A254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F024 push dword ptr [esp+14h]; retn 0018h	3_2_1002F036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10029029 push dword ptr [esp+38h]; retn 003Ch	3_2_10027C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10029029 pushad ; mov dword ptr [esp], 73E57D1Ah	3_2_10029046
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003B02D push dword ptr [esp+50h]; retn 0054h	3_2_1003B061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F039 push esp; mov dword ptr [esp], B1CF2C6Dh	3_2_1002F051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F039 push dword ptr [esp+50h]; retn 0054h	3_2_1002F068
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035048 push dword ptr [esp+50h]; retn 0054h	3_2_100351D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033059 push dword ptr [esp+50h]; retn 0054h	3_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033064 push dword ptr [esp+50h]; retn 0054h	3_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002D06D push dword ptr [esp+38h]; retn 003Ch	3_2_1002D08D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031079 push dword ptr [esp+30h]; retn 0034h	3_2_10031095
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027080 push ebp; mov dword ptr [esp], edx	3_2_1002FD0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027080 push dword ptr [esp+04h]; retn 0008h	3_2_1002FD4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023085 push dword ptr [esp+38h]; retn 003Ch	3_2_10023093
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023096 push dword ptr [esp+50h]; retn 0054h	3_2_100230B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100330A5 push dword ptr [esp+2Ch]; retn 0030h	3_2_1002B78C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100330A5 push dword ptr [esp+04h]; retn 0008h	3_2_1003B2DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100230B6 push dword ptr [esp+34h]; retn 0038h	3_2_1002F874
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100270BA push dword ptr [esp+34h]; retn 0038h	3_2_1002AD33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100250BC push dword ptr [esp+44h]; retn 0048h	3_2_1003408E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F0D4 push dword ptr [esp+0Ch]; retn 0014h	3_2_1002F0EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h	3_2_100282E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h	3_2_100338DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100350D9 push dword ptr [esp+50h]; retn 0054h	3_2_10035102
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100250D9 push dword ptr [esp+14h]; retn 0018h	3_2_100250F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0E4 push dword ptr [esp+48h]; retn 004Ch	3_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002D0EF push dword ptr [esp+10h]; retn 0014h	3_2_1002D116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0EF push dword ptr [esp+48h]; retn 004Ch	3_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10039107 push dword ptr [esp+4Ch]; retn 0050h	3_2_10039116

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfd

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfd			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfd			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_3-17249

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001E1FE rdtsc

3_2_1001E1FE

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 383			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 5667			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7488	Thread sleep count: 383 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7488	Thread sleep time: -689400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8052	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8156	Thread sleep time: -4200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8160	Thread sleep time: -3000000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3448	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4500	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7440	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8056	Thread sleep time: -7200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7488	Thread sleep count: 5667 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7488	Thread sleep time: -10200600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,

3_2_10007F3E

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: rundll32.exe, 00000003.00000002.4158300734.0000000000ACB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: s\Applications\\VMwareHoh
Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.4158555194.000000000304E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: rundll32.exe, 00000003.00000003.1996338215.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons\\VMwareHostO
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000003.00000002.4159289964.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Applications\\VMwareHostOpen.exe
Source: rundll32.exe, 00000003.00000002.4158486871.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RE\DESCRIPTION\System\CentralProcessor\0xes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\45
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001E1FE rdtsc

3_2_1001E1FE

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.160.131.253 18659	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.160.131.254 23588	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	111 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Rundll32	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	111 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Vb1S2HJcnN.dll	79%	ReversingLabs	Win32.Backdoor.Farfli
Vb1S2HJcnN.dll	100%	Avira	TR/Crypt.PEPM.Gen
Vb1S2HJcnN.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://107.160.131.254:23588/article.phpC:	0%	Avira URL Cloud	safe
http://107.160.131.253:8659//joy.asp?sid=run	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpindows	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpD	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php79	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpme	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.html	0%	Avira URL Cloud	safe
http://107.160.131.253:18659//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmtaWndm	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php3/	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.htmlH	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpdeIE	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php.	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpUe8E	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php$a	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpIe	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpk	0%	Avira URL Cloud	safe
http://www.rsac.org/ratingsv01.html	0%	Avira URL Cloud	safe
http://107.160.131.253:18659/	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.php8f	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpreWE	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpGe	0%	Avira URL Cloud	safe
http://107.160.13I	0%	Avira URL Cloud	safe
http://107.160.131.254:23588/article.phpX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
blogx.sina.com.cn	202.108.0.52	true	false	high
host123.zz.am	unknown	unknown	false	unknown
blog.sina.com.cn	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.160.131.254:23588/article.php	rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3051247387.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014509182.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093.	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.131.254:23588/article.php3/	rundll32.exe, 00000003.00000002.4158555194.000000000304E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpindows	rundll32.exe, 00000003.00000003.3819763452.0000000003060000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpme	rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.00000000030A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpC:	rundll32.exe, 00000003.00000002.4160815097.0000000005BED000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4161007369.0000000005E0A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpD	rundll32.exe, 00000003.00000002.4160815097.0000000005BED000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.110:18530/u1129.html	rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.php79	rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.12.dr	false		high
http://107.160.131.253:18659//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmtaWndm	rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.000000000303C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.253:8659//joy.asp?sid=run	rundll32.exe, 00000003.00000002.4158353206.0000000000B0B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s	rundll32.exe, 00000003.00000002.4159289964.0000000004D41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093	rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.163.56.110:18530/u1129.htmlH	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpdeIE	rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093eV	rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093#V	rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093z6	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.131.254:23588/article.php.	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpUe8E	rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093wV	rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.131.254:23588/article.phpk	rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.php8f	rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.php$a	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093V	rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.131.254:23588/article.phpIe	rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093oV	rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093zz	rundll32.exe, 00000003.00000002.4158555194.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/57624790935V	rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rsac.org/ratingsv01.html	rundll32.exe, rundll32.exe, 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3051316180.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014701747.000000001003D000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	false	Avira URL Cloud: safe	unknown
http://107.160.131.253:18659/	rundll32.exe, rundll32.exe, 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3051247387.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4014509182.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Vb1S2HJcnN.dll	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpreWE	rundll32.exe, 00000003.00000003.2082760884.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926096483.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2926049501.00000000030A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093zwV	rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093z	rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4158555194.00000000030A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.131.254:23588/article.phpGe	rundll32.exe, 00000003.00000003.2205306350.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2604915627.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244806937.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2244967550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2204711938.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2205339890.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093zoV	rundll32.exe, 00000003.00000003.2082760884.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2083001265.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.160.13I	rundll32.exe, 00000003.00000002.4160751686.0000000005B6D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.160.131.254:23588/article.phpX	rundll32.exe, 00000003.00000003.2364014857.00000000030A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093ziV	rundll32.exe, 00000003.00000003.3819763452.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
202.108.0.52	blogx.sina.com.cn	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
107.163.56.110	unknown	United States	20248	TAKE2US	true
107.160.131.253	unknown	United States	40676	AS40676US	true
107.160.131.254	unknown	United States	40676	AS40676US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558403
Start date and time:	2024-11-19 13:17:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Vb1S2HJcnN.dll renamed because original name is a hash value
Original Sample Name:	bd61c244153364c6322a4bc9337d15dcf9c3bf00.dll
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winDLL@42/10@49/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 28 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Vb1S2HJcnN.dll

Simulations

Behavior and APIs

Time	Type	Description
07:18:20	API Interceptor	1234473x Sleep call for process: rundll32.exe modified
07:18:27	API Interceptor	1x Sleep call for process: loaddll32.exe modified
07:20:34	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
202.108.0.52	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
107.163.56.110	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse
107.163.56.110	abc.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
blogx.sina.com.cn	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	http://zeuso.cc	Get hash	malicious	Unknown	Browse	202.108.0.52
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	abc.dll	Get hash	malicious	Unknown	Browse	123.126.45.92

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS40676US	Malwarebytes Premium v4.6.8.311.exe	Get hash	malicious	Unknown	Browse	41.216.183.30
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	45.61.137.33
	QKS3UTHFX9.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	5z3Wzl6uag.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	e8HOp8k5Kj.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	45.61.137.33
	QKS3UTHFX9.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	5z3Wzl6uag.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	e8HOp8k5Kj.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	45.34.110.251
AS40676US	Malwarebytes Premium v4.6.8.311.exe	Get hash	malicious	Unknown	Browse	41.216.183.30
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	45.61.137.33
	QKS3UTHFX9.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	5z3Wzl6uag.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	e8HOp8k5Kj.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	45.61.137.33
	QKS3UTHFX9.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	5z3Wzl6uag.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	e8HOp8k5Kj.js	Get hash	malicious	Unknown	Browse	45.61.137.33
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	45.34.110.251
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	owari.mips.elf	Get hash	malicious	Unknown	Browse	111.193.177.206
	owari.x86.elf	Get hash	malicious	Unknown	Browse	60.194.199.155
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	hmips.elf	Get hash	malicious	Mirai	Browse	111.196.123.227
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	123.112.202.42
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	113.45.119.194
	botx.arm.elf	Get hash	malicious	Mirai	Browse	211.145.29.8
	xd.m68k.elf	Get hash	malicious	Mirai	Browse	114.117.36.234
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	219.238.44.6
	xd.x86.elf	Get hash	malicious	Mirai	Browse	111.210.169.218
TAKE2US	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
	INVOICES.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	sh4.elf	Get hash	malicious	Mirai	Browse	23.231.236.168
	armv6l.elf	Get hash	malicious	Unknown	Browse	23.231.236.146
	3qsTcL9MOT.exe	Get hash	malicious	FormBook	Browse	107.163.96.57
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.231.158.3

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	663
Entropy (8bit):	4.501725476842082
Encrypted:	false
SSDEEP:	6:yFOeCUmBqqdUVNnKz43Ej9wqjHWDnPvX3VUwwwwwwwwwwwwwwwwwwwwM:8lXmBUVNj3Ej9b2DnPv3Vn
MD5:	D35633A1A809B5BDEEDA2BCE52057CC0
SHA1:	05AE164998FEB5066D34A55565B8F8C2A0D3382F
SHA-256:	8BC0117DA67370038B4DAF92978C1F3D78D34C19383FDE791651F3C7F9B719A2
SHA-512:	0D32375C9799D3E910908A22580589D66723997CBB00BD8E3E2881D825A42167E9BE861AFCA4C444832CC34423C9651254A0F60B7B9C7FB0A0CC6DA649AC4A46
Malicious:	false
Preview:	..2024-11-21 09:29..iOffset....2024-11-23 00:10..iOffset....2024-11-23 21:03..iOffset....2024-11-25 17:35..iOffset....2024-11-26 14:28..iOffset....2024-11-28 15:26..iOffset....2024-11-29 19:49..iOffset....2024-12-02 23:25..iOffset....2024-12-07 03:09..iOffset....2024-12-10 06:32..iOffset....2024-12-20 18:37..iOffset....2024-12-31 11:12..iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_e1e1aca2-3cd9-473d-81e1-bc7a46e9e26e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9499848688206065
Encrypted:	false
SSDEEP:	192:ymDiwEOK730BU/wjeTQWaZYzuiFpZ24IO8dci:DDiKuEBU/wjekbYzuiFpY4IO8dci
MD5:	868EB3E0B72E3FFC5AA51386A2E86888
SHA1:	D6F421225847509204908E50666225350A4E9D31
SHA-256:	1D8F7AFAD99313BF78F8ADC057C97D82904B6E1032A6EB6ABBF81DD4829AA5C6
SHA-512:	7D400BC4A4A4DD580BA594B35A865A577F5124BB223D3C15443ADEE9DA4C977CD45AB621523D7AADF71202D18A54BFFC60C2C7FE5E8B8D5A5713FDA868A509CF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.2.3.0.7.8.2.9.1.7.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.2.3.0.8.4.0.7.3.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.e.1.a.c.a.2.-.3.c.d.9.-.4.7.3.d.-.8.1.e.1.-.b.c.7.a.4.6.e.9.e.2.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.8.d.2.f.b.a.-.f.b.f.4.-.4.5.2.8.-.8.0.e.3.-.1.0.a.6.6.0.1.a.a.8.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.1.0.0.7.-.2.9.2.3.7.d.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_568bb817-f66d-436b-80f0-4346d190c4a8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9505302083817813
Encrypted:	false
SSDEEP:	192:0jiigODv0BU/wjeTgWBCYzuiFEZ24IO8dci:6iiRDcBU/wje0LYzuiFEY4IO8dci
MD5:	8710DE9D949F44CFBACE66316A027CCE
SHA1:	349A2DE90A90939E550369C26246EEEA1776953B
SHA-256:	E5A70977BC1E59FA40F1708185E3C92135A64DB9491EDEC37CA19665CCAD3F17
SHA-512:	1941227F3464CCAF798C20FB2ED3AA8F0765B3157B545A9B3E84C2E242CBAED653A19C708B4254FBBC644BD4B130FFF523D1B752D8F2B0534140B6B48F345AC6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.2.3.0.4.7.2.1.8.6.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.2.3.0.5.2.6.8.7.0.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.8.b.b.8.1.7.-.f.6.6.d.-.4.3.6.b.-.8.0.f.0.-.4.3.4.6.d.1.9.0.c.4.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.7.c.2.8.c.6.-.d.e.f.e.-.4.f.5.f.-.b.2.b.8.-.b.d.f.2.c.a.d.7.a.e.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.4.-.0.0.0.1.-.0.0.1.4.-.e.c.3.5.-.5.5.2.1.7.d.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8679.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 12:18:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45628
Entropy (8bit):	1.9700671608424365
Encrypted:	false
SSDEEP:	192:VBm8H5CZ53XUXaZ+O5H4c6tkIWMx3shYO/H3qZmnlE:zm8AZ5zZ55HpkkHMChP/HZlE
MD5:	4D49981962E1B6DEA1021BD01E9B1F7B
SHA1:	584A5CAC383F4E2F55487D749FBB0D6082D757CD
SHA-256:	66A1999B74B9B68218CC32567859040ED8EE2F992EA452D9BD44820E09CB4C88
SHA-512:	119DE7DA87B471A8198E86685C358F9722DF8D22539743FF13B07B1728F57382C9F9512F785FBD0CF03450B258422E45EAB5A44BB4DFA7220F07F4CCF4CA55AE
Malicious:	false
Preview:	MDMP..a..... .........<g........................................V/..........T.......8...........T...............t...........L...........8...............................................................................eJ..............GenuineIntel............T.......t.....<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8754.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.691640863975639
Encrypted:	false
SSDEEP:	192:R6l7wVeJj66Ab6YB+6ZgmfTxhprt89bwMGsfkyqm:R6lXJe6U6Y46ZgmfTxmjlfP
MD5:	D2CCA97E02E61CA1CA386D700C5AD8D2
SHA1:	D24444A289B57E9A6A08A0F7010D8D25C1A70326
SHA-256:	F767F494FB53800D42A3A2BB8B716D93335B78E3BC52B4859F600CF45FFF5C26
SHA-512:	4E8EB2C4084C3090BB96C0BE452AC59FF96EBF493A98F3B824D0D15162C78FC14E1B5B8718697ECDA72408F9788F0F3ADE2D461E5C2BDAB16D781085B1426229
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8794.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.463527919610204
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI98nWpW8VYXYm8M4JCdPOFCm+q8/ACmYGScS1d:uIjfEI7iW7VnJ9amYJ31d
MD5:	E6837C5D4927EE86E3783E7B8BC52591
SHA1:	8551E5A715476CC1EB16AC2079A3EDB21D9DD04E
SHA-256:	BED7362944806F11D5C5DEFD6B0796EB4B0EFAD08700F03491093026AD8F3787
SHA-512:	46E8ADB3F430047A5B0660236AFEB6F78201C73292515C333EE0CF55F24487DF11F5FF0DE95708DC0FD73F97E9100C72B8B7FE2DEEFBC9D87E94D6267EE0D03D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594921" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9250.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 12:18:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44430
Entropy (8bit):	2.0339553066949794
Encrypted:	false
SSDEEP:	192:eC8SQZ55XUXapO5H4khc19EqECX/baKGgdaTUl:x8lZ5Js5Hxhc19ElCX/bad4l
MD5:	361BC3B49C66CD4FFC65A2F389B6A2CC
SHA1:	8102D26B73C7F8227EBCB92271A97840F66EB5C5
SHA-256:	ECC6538CC133D22346CB56FC9A97EC362BFCFDAB1441132A7D9671E58A36C877
SHA-512:	E119D29161164ECB196832116CD4FD5B3119E78A64EC8F54EB8FF604CFDF18F3EED478F4F837257CB465A24D8E6D2459BA2E54B3470A07F46CEF49117403D083
Malicious:	false
Preview:	MDMP..a..... .........<g........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T.......$.....<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER92ED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.689222136127775
Encrypted:	false
SSDEEP:	192:R6l7wVeJSa6E6YZB6YTgmfTZhpr+89bw57sfQMvy5m:R6lXJn6E6Yv6YTgmfTZrGAfQA
MD5:	0A72131AC8A073C1AB8289CCCDEC63BC
SHA1:	8AA201436DF79EA2C49AC5DEB5982F7763CEB55B
SHA-256:	DE238B0F6736A24DCE29149812D7501CF99BA60E44BC09522B29E1C675DA928B
SHA-512:	368A9C7C27912B02CEE820746BCAFF9196CD60F4F64E663F8385194081DA3E61D6BB0093127BF1F1679C9A393AFEBD88AD94FFAE150325B8FFAEC23772B60796
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER930D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.4600591103847975
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI98nWpW8VYUPYm8M4JCdPSFEHP+q8/AJGScSeMd:uIjfEI7iW7VBSJ8vhJ37d
MD5:	F35993F586D8B69FA029BEDF7883129F
SHA1:	4EA9166B26F2CD442E8B1DF8865B7A77BF4C56ED
SHA-256:	11B4FAC16053180554E0298A562BEFED2C6A9756D97923CA3A206988E74DBFA7
SHA-512:	50ABD0DE5C765BDF6541F6D16423858B2BCB5113321E01FBC9000937C124760CF94751D7CB2FC5716FD3DBA85240A312102135CA857BF5FB29CA1409DBC89A70
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594921" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466249667178544
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:4XD94+WlLZMM6YFHT+G
MD5:	EE27EB32C479DCD1B9AE00826FA73A31
SHA1:	CFCFE1BD743DD686B721D2C725B7CFB238182B09
SHA-256:	E330DC8D399F799FC51A1CC62FD96F819CD5B8DADCF50E92A4ECB80A0B9C29EF
SHA-512:	FC9AEAE5A48ADB1628AF4D591641295A2D30AF50A2F616061237FABE7CEC3373D2A1111DBFCFB932528B6C2ADFA8AC6EF34B4FA5234F3D4E75669275AB3AFE02
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.w.!}:.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed
Entropy (8bit):	6.394206485804745
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Vb1S2HJcnN.dll
File size:	322'801 bytes
MD5:	8b46c170f7f8a38a8f69fa4bc2b53d61
SHA1:	bd61c244153364c6322a4bc9337d15dcf9c3bf00
SHA256:	27f8d7bbfe91b1ef754a445fbccc24c9da11695ca63c44a33fa12a1df338b76f
SHA512:	37fbb60a471e58ccab0aefbf530bdb3c674310b1abf7d1966493ff890119d4bcb68fe8d9b21bae13d98842811634dc8fc192801b0a94b91ed62a674477e8dabf
SSDEEP:	6144:YutK09bpsWYrPnP3UKLSr1TS8BbdrFucR+z+qagIK+bcgaI0b:BK0YWYrPP35LSrBS8LQ4+z+qagQYVIK
TLSH:	4C64AE0237B552F5D4F70A3A9F35E72DE33438109CA8DD159B8A08C91CE394AAED578B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10042ae6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:
Time Stamp:	0x565C7C9C [Mon Nov 30 16:43:08 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1e14d607956b4cc2b9b7835c72bf0b77

Entrypoint Preview

Instruction
jmp 00007F7774EC7F5Eh
adc byte ptr [ebp+6E3FA254h], al
or eax, dword ptr [esi]
mov cl, 92h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4fb24	0x68	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d6cc	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0xb10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49000	0x1628	.text
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4e000	0x4ca00	b29859f73b90e7f64037da48fbee12a8	False	0.5888783391109299	data	6.394873960706557	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x2000	0x1e00	a03763a40a39da37762a5efcd57a5136	False	0.6859375	data	6.354524003809639	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x51000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x4b000	0x16c	data	English	United States	0.5521978021978022
RT_STRING	0x4b170	0x86	data	English	United States	0.6417910447761194
RT_STRING	0x4b1f8	0x56	data	English	United States	0.6744186046511628
RT_STRING	0x4b250	0x16e	data	English	United States	0.505464480874317
RT_STRING	0x4b3c0	0x128	data	English	United States	0.581081081081081
RT_STRING	0x4b4e8	0xd2	data	English	United States	0.5761904761904761
RT_STRING	0x4b5c0	0x6a	data	English	United States	0.660377358490566
RT_STRING	0x4b630	0xc8	Matlab v4 mat-file (little endian) b, numeric, rows 0, columns 0	English	United States	0.555
RT_STRING	0x4b6f8	0x200	data	English	United States	0.375
RT_STRING	0x4b8f8	0x23e	data	English	United States	0.44773519163763065
RT_STRING	0x4bb38	0x12e	data	English	United States	0.4503311258278146
RT_STRING	0x4bc68	0xca	Matlab v4 mat-file (little endian) O, numeric, rows 0, columns 0	English	United States	0.42574257425742573
RT_STRING	0x4bd38	0x252	data	English	United States	0.39225589225589225
RT_STRING	0x4bf90	0x28e	data	English	United States	0.43730886850152906
RT_STRING	0x4c220	0xce	data	English	United States	0.4563106796116505
RT_STRING	0x4c2f0	0x15c	Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0	English	United States	0.4166666666666667
RT_STRING	0x4c450	0x398	data	English	United States	0.375
RT_STRING	0x4c7e8	0x2ae	data	English	United States	0.3688046647230321
RT_STRING	0x4ca98	0x42	data	English	United States	0.4696969696969697
RT_STRING	0x4cae0	0x20	data	English	United States	0.34375
RT_STRING	0x4cb00	0x20	data	English	United States	0.34375
RT_STRING	0x4cb20	0x20	data	English	United States	0.34375
RT_STRING	0x4cb40	0x20	data	English	United States	0.34375
RT_STRING	0x4cb60	0x20	data	English	United States	0.34375
RT_STRING	0x4cb80	0x20	data	English	United States	0.34375
RT_STRING	0x4cba0	0x20	data	English	United States	0.34375
RT_STRING	0x4cbc0	0x20	data	English	United States	0.34375
RT_STRING	0x4cbe0	0x7a	data	English	United States	0.6475409836065574
RT_STRING	0x4cc60	0x20	data	English	United States	0.34375
RT_STRING	0x4cc80	0x20	data	English	United States	0.34375
RT_STRING	0x4cca0	0x13a	Matlab v4 mat-file (little endian) ', numeric, rows 0, columns 0	English	United States	0.3821656050955414
RT_STRING	0x4cde0	0x19a	data	English	United States	0.4195121951219512
RT_STRING	0x4cf80	0x9a	data	English	United States	0.512987012987013
RT_STRING	0x4d020	0xa8	data	English	United States	0.5833333333333334
RT_STRING	0x4d0c8	0x20	data	English	United States	0.34375
RT_VERSION	0x4f7f0	0x31c	data	English	United States	0.4296482412060301
RT_HTML	0x4d0e8	0x49	HTML document, ASCII text, with CRLF line terminators	English	United States	0.8493150684931506
RT_HTML	0x4d138	0xd	HTML document, ASCII text, with no line terminators	English	United States	1.3076923076923077
RT_HTML	0x4d148	0x6be	HTML document, ASCII text, with CRLF line terminators	English	United States	0.5179606025492468

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	_strcmpi
KERNEL32.dll	CreateDirectoryA
USER32.dll	GetDesktopWindow
ADVAPI32.dll	RegDeleteValueA
WS2_32.dll	htons
SHLWAPI.dll	PathIsDirectoryA
ole32.dll	CoUninitialize
OLEAUT32.dll	SafeArrayGetVartype
MSVCP60.dll	?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
NETAPI32.dll	Netbios
KERNEL32.dll	GetModuleFileNameW
KERNEL32.dll	GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

Exports

Name	Ordinal	Address
DoAddToFavDlg	1	0x10008645
InputFile	2	0x1000678b
PrintFile	3	0x1000443d

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:18:22.048537970 CET	49740	18530	192.168.2.4	107.163.56.110
Nov 19, 2024 13:18:22.048964024 CET	49741	18659	192.168.2.4	107.160.131.253
Nov 19, 2024 13:18:23.061832905 CET	49741	18659	192.168.2.4	107.160.131.253
Nov 19, 2024 13:18:23.061947107 CET	49740	18530	192.168.2.4	107.163.56.110
Nov 19, 2024 13:18:25.061863899 CET	49741	18659	192.168.2.4	107.160.131.253
Nov 19, 2024 13:18:25.061878920 CET	49740	18530	192.168.2.4	107.163.56.110
Nov 19, 2024 13:18:29.061863899 CET	49740	18530	192.168.2.4	107.163.56.110
Nov 19, 2024 13:18:29.077466965 CET	49741	18659	192.168.2.4	107.160.131.253
Nov 19, 2024 13:18:37.061889887 CET	49740	18530	192.168.2.4	107.163.56.110
Nov 19, 2024 13:18:37.093113899 CET	49741	18659	192.168.2.4	107.160.131.253
Nov 19, 2024 13:18:47.135231972 CET	49764	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:47.137243032 CET	49765	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:48.140038967 CET	49765	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:48.140363932 CET	49764	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:50.139990091 CET	49764	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:50.140074968 CET	49765	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:51.112329006 CET	49790	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:51.150532007 CET	49792	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:51.271297932 CET	49794	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:52.140028000 CET	49792	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:52.280653000 CET	49790	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:52.280670881 CET	49794	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:54.171263933 CET	49792	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:54.390093088 CET	49794	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:54.390137911 CET	49790	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:55.156553984 CET	49818	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:55.271756887 CET	49820	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:55.272110939 CET	49821	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:56.171252966 CET	49818	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:56.374376059 CET	49820	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:56.375252008 CET	49821	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:58.171272039 CET	49818	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:58.374398947 CET	49820	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:58.374418974 CET	49821	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:18:59.172570944 CET	49848	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:59.325823069 CET	49851	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:18:59.327474117 CET	49852	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:00.280654907 CET	49848	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:00.390048027 CET	49852	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:00.390099049 CET	49851	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:02.329382896 CET	49848	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:02.480479956 CET	49852	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:02.480568886 CET	49851	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:03.356714010 CET	49882	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:03.474198103 CET	49884	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:03.538794994 CET	49886	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:04.374392986 CET	49882	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:04.561925888 CET	49884	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:04.561924934 CET	49886	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:06.374397993 CET	49882	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:06.561892986 CET	49884	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:06.561913013 CET	49886	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:07.359667063 CET	49919	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:07.479881048 CET	49921	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:07.482842922 CET	49922	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:08.361557961 CET	49919	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:08.468163967 CET	49921	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:08.525696993 CET	49922	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:10.358798027 CET	49919	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:10.468173027 CET	49921	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:10.630311012 CET	49922	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:11.375237942 CET	49953	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:11.574059010 CET	49956	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:11.577353001 CET	49957	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:12.390034914 CET	49953	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:12.577553034 CET	49956	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:12.577661037 CET	49957	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:14.390060902 CET	49953	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:14.577589035 CET	49957	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:14.577593088 CET	49956	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:15.375354052 CET	49992	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:15.527808905 CET	49995	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:15.529145002 CET	49996	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:16.374469995 CET	49992	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:16.530674934 CET	49995	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:16.530685902 CET	49996	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:18.374471903 CET	49992	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:18.546298981 CET	49995	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:18.546304941 CET	49996	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:19.375407934 CET	50027	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:19.497210026 CET	50029	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:19.502137899 CET	50030	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:20.390080929 CET	50027	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:20.499416113 CET	50029	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:20.515043974 CET	50030	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:22.390050888 CET	50027	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:22.515055895 CET	50030	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:22.515158892 CET	50029	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:23.391130924 CET	50065	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:23.504271984 CET	50068	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:23.505750895 CET	50069	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:24.390074015 CET	50065	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:24.515079975 CET	50068	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:24.515100956 CET	50069	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:26.390095949 CET	50065	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:26.530673027 CET	50068	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:26.531073093 CET	50069	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:27.407202005 CET	50104	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:27.521267891 CET	50106	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:27.522701025 CET	50107	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:28.421411991 CET	50104	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:28.530709028 CET	50106	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:28.530770063 CET	50107	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:30.437000990 CET	50104	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:30.546370029 CET	50106	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:30.548027992 CET	50107	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:31.408539057 CET	50143	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:31.521815062 CET	50145	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:31.521985054 CET	50146	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:32.421334028 CET	50143	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:32.530741930 CET	50145	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:32.530745029 CET	50146	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:34.437115908 CET	50143	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:34.530752897 CET	50145	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:34.546348095 CET	50146	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:35.422389984 CET	50192	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:35.539071083 CET	50195	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:35.539674997 CET	50196	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:36.436959028 CET	50192	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:36.546394110 CET	50195	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:36.546488047 CET	50196	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:38.436980009 CET	50192	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:38.546364069 CET	50195	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:38.546370029 CET	50196	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:39.462774038 CET	50242	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:39.565692902 CET	50245	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:39.580967903 CET	50246	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:40.468230009 CET	50242	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:40.577600002 CET	50245	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:40.593214035 CET	50246	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:42.468242884 CET	50242	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:42.593215942 CET	50245	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:42.593219042 CET	50246	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:43.478548050 CET	50296	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:43.602391958 CET	50299	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:43.604712009 CET	50300	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:44.486110926 CET	50296	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:44.608875036 CET	50299	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:44.608928919 CET	50300	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:46.499464035 CET	50296	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:46.608876944 CET	50299	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:46.609129906 CET	50300	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:47.485163927 CET	50356	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:47.598889112 CET	50360	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:47.599699974 CET	50361	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:48.499454021 CET	50356	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:48.608848095 CET	50361	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:48.608853102 CET	50360	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:50.515100002 CET	50356	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:50.624471903 CET	50361	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:50.624633074 CET	50360	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:51.490907907 CET	50424	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:51.597378969 CET	50428	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:52.128925085 CET	50440	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:52.499497890 CET	50424	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:52.608872890 CET	50428	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:53.140316963 CET	50440	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:54.499537945 CET	50424	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:54.624484062 CET	50428	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:55.140095949 CET	50440	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:55.500935078 CET	50503	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:55.613717079 CET	50508	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:55.615772009 CET	50509	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:56.515105009 CET	50503	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:56.624486923 CET	50509	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:56.624496937 CET	50508	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:58.515129089 CET	50503	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:58.640149117 CET	50508	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:58.640151024 CET	50509	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:59.516247034 CET	50605	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:19:59.629674911 CET	50611	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:19:59.629808903 CET	50610	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:00.530738115 CET	50605	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:00.640121937 CET	50610	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:00.640186071 CET	50611	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:02.530738115 CET	50605	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:02.641954899 CET	50610	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:02.642050028 CET	50611	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:03.535337925 CET	50703	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:03.644848108 CET	50704	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:03.646821022 CET	50705	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:04.593275070 CET	50703	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:04.749298096 CET	50704	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:04.749598980 CET	50705	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:06.687005997 CET	50703	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:06.797483921 CET	50704	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:06.797605038 CET	50705	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:07.548072100 CET	50881	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:07.665133953 CET	50891	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:07.665379047 CET	50890	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:08.577646017 CET	50881	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:08.765117884 CET	50890	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:08.765141964 CET	50891	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:10.671394110 CET	50881	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:10.874511957 CET	50890	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:10.874538898 CET	50891	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:11.563838005 CET	51071	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:11.685025930 CET	51079	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:11.685570955 CET	51080	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:12.671402931 CET	51071	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:12.769589901 CET	51080	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:12.769592047 CET	51079	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:14.671391964 CET	51071	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:14.774666071 CET	51079	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:14.774666071 CET	51080	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:15.608108044 CET	51289	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:15.731447935 CET	51298	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:15.736401081 CET	51299	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:16.782712936 CET	51289	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:16.874531984 CET	51299	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:16.874533892 CET	51298	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:18.781356096 CET	51289	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:18.874542952 CET	51299	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:18.874547005 CET	51298	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:19.613500118 CET	51487	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:19.727855921 CET	51490	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:19.786082029 CET	51492	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:20.781303883 CET	51487	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:20.874551058 CET	51490	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:20.890158892 CET	51492	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:22.780801058 CET	51487	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:22.874525070 CET	51490	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:22.890311956 CET	51492	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:23.850233078 CET	51637	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:23.851000071 CET	51638	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:23.984807968 CET	51639	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:24.890166044 CET	51637	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:24.890186071 CET	51638	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:25.005198002 CET	51639	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:26.890186071 CET	51637	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:26.890234947 CET	51638	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:27.030781031 CET	51639	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:27.861223936 CET	52656	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:28.006258011 CET	52686	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:28.008310080 CET	52688	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:28.874672890 CET	52656	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:29.038379908 CET	52686	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:29.038465977 CET	52688	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:30.874880075 CET	52656	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:31.077724934 CET	52686	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:31.077900887 CET	52688	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:31.876086950 CET	54715	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:31.993350983 CET	54772	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:31.997782946 CET	54773	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:32.875267982 CET	54715	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:33.039513111 CET	54773	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:33.039803982 CET	54772	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:34.874568939 CET	54715	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:35.093350887 CET	54772	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:35.093491077 CET	54773	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:36.010514975 CET	57512	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:36.014333963 CET	57514	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:36.016479015 CET	57515	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:37.077673912 CET	57512	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:37.093332052 CET	57514	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:37.093436956 CET	57515	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:39.077677011 CET	57512	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:39.187058926 CET	57514	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:39.187093973 CET	57515	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:40.030221939 CET	59590	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:40.146106958 CET	59678	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:40.149595022 CET	59680	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:41.093308926 CET	59590	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:41.171408892 CET	59678	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:41.171489000 CET	59680	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:43.171454906 CET	59678	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:43.171551943 CET	59680	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:43.187077999 CET	59590	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:44.031641960 CET	62091	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:44.198333979 CET	62200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:44.201992989 CET	62203	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:45.077692032 CET	62091	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:45.265185118 CET	62203	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:45.330749989 CET	62200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:47.171983004 CET	62091	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:47.374572992 CET	62203	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:47.390216112 CET	62200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:48.048618078 CET	64586	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:48.161540031 CET	64704	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:48.163074970 CET	64705	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:49.171468019 CET	64704	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:49.171554089 CET	64705	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:49.187074900 CET	64586	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:51.171468973 CET	64704	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:51.171473026 CET	64705	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:51.187068939 CET	64586	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:52.055722952 CET	50839	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:52.163338900 CET	50940	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:52.958724022 CET	51351	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:53.093348026 CET	50839	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:53.261092901 CET	50940	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:54.094134092 CET	51351	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:55.093337059 CET	50839	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:55.317234039 CET	50940	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:56.063174963 CET	53090	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:56.191423893 CET	53201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:56.192712069 CET	53202	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:57.077709913 CET	53090	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:57.265191078 CET	53202	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:57.280822039 CET	53201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:20:59.171463966 CET	53090	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:59.374563932 CET	53202	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:20:59.390214920 CET	53201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:00.078813076 CET	55579	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:00.196602106 CET	55628	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:00.198865891 CET	55629	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:01.093333960 CET	55579	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:01.214517117 CET	55628	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:01.214627981 CET	55629	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:03.148792028 CET	55579	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:03.280849934 CET	55628	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:03.280868053 CET	55629	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:04.193073034 CET	57378	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:04.194456100 CET	57379	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:04.197827101 CET	57381	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:05.265242100 CET	57378	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:05.265247107 CET	57381	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:05.280889034 CET	57379	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:07.265219927 CET	57378	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:07.265325069 CET	57381	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:07.390233040 CET	57379	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:08.229559898 CET	59901	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:08.360567093 CET	59929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:08.364995003 CET	59930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:09.265230894 CET	59901	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:09.382539988 CET	59930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:09.390248060 CET	59929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:11.270136118 CET	59901	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:11.390239000 CET	59929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:11.562127113 CET	59930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:12.359394073 CET	61907	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:12.361346006 CET	61908	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:12.363114119 CET	61909	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:13.374619007 CET	61907	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:13.390271902 CET	61908	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:13.390701056 CET	61909	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:15.374623060 CET	61907	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:15.484045029 CET	61909	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:15.484059095 CET	61908	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:16.376260996 CET	64281	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:16.504973888 CET	64394	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:16.506231070 CET	64395	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:17.374599934 CET	64281	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:17.577750921 CET	64394	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:17.577759981 CET	64395	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:19.374610901 CET	64281	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:19.671499968 CET	64394	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:19.671636105 CET	64395	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:20.391351938 CET	50671	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:20.517393112 CET	50721	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:20.519309998 CET	50722	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:21.577893972 CET	50722	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:21.593375921 CET	50671	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:21.593396902 CET	50721	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:23.577846050 CET	50722	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:23.593377113 CET	50671	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:23.593381882 CET	50721	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:24.393754005 CET	53603	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:24.519931078 CET	53664	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:24.520015955 CET	53663	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:25.440757036 CET	53603	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:25.577790022 CET	53664	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:25.593398094 CET	53663	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:27.577764988 CET	53664	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:27.593410969 CET	53663	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:27.593508005 CET	53603	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:28.409095049 CET	56249	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:28.531368971 CET	56250	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:28.571548939 CET	56251	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:29.577794075 CET	56251	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:29.577795029 CET	56249	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:29.577797890 CET	56250	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:31.577785015 CET	56249	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:31.577796936 CET	56250	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:31.578092098 CET	56251	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:32.427947044 CET	58678	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:32.538361073 CET	58722	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:32.544940948 CET	58725	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:33.430696011 CET	58678	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:33.593420029 CET	58725	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:33.593425035 CET	58722	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:35.484038115 CET	58678	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:35.593473911 CET	58722	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:35.593772888 CET	58725	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:36.438147068 CET	60749	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:36.557540894 CET	60876	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:36.558084011 CET	60877	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:37.484040022 CET	60749	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:37.593430042 CET	60876	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:37.594141006 CET	60877	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:39.504702091 CET	60749	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:39.687166929 CET	60876	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:39.687263012 CET	60877	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:40.439740896 CET	62737	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:40.556997061 CET	62824	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:40.558512926 CET	62825	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:41.532423019 CET	62737	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:41.687186003 CET	62825	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:41.687186003 CET	62824	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:43.593444109 CET	62737	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:43.780925989 CET	62824	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:43.781269073 CET	62825	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:44.454063892 CET	65073	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:44.570277929 CET	65200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:44.571264982 CET	65201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:45.528700113 CET	65073	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:45.687210083 CET	65200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:45.687310934 CET	65201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:47.596362114 CET	65073	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:47.780982971 CET	65200	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:47.781120062 CET	65201	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:48.468204021 CET	51069	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:48.623955965 CET	51070	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:48.629446030 CET	51071	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:49.529819965 CET	51069	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:49.687223911 CET	51070	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:49.687248945 CET	51071	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:51.535784006 CET	51069	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:51.687205076 CET	51070	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:51.687342882 CET	51071	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:52.469680071 CET	53364	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:52.587366104 CET	53452	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:53.003377914 CET	53658	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:53.520421028 CET	53364	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:53.687365055 CET	53452	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:54.025782108 CET	53658	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:55.568093061 CET	53364	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:55.687505960 CET	53452	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:56.093455076 CET	53658	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:56.485476017 CET	56194	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:56.610641956 CET	56315	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:56.617932081 CET	56317	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:57.599081993 CET	56194	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:57.766221046 CET	56317	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:21:57.781009912 CET	56315	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:59.593821049 CET	56194	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:59.784616947 CET	56315	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:21:59.874792099 CET	56317	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:00.501244068 CET	58057	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:00.616235018 CET	58152	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:00.618053913 CET	58154	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:01.577816963 CET	58057	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:01.687216043 CET	58152	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:01.687225103 CET	58154	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:03.577847958 CET	58057	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:03.687221050 CET	58152	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:03.687228918 CET	58154	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:04.501297951 CET	60141	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:04.653048038 CET	60195	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:04.654165030 CET	60196	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:05.562304020 CET	60141	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:05.671614885 CET	60195	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:05.671727896 CET	60196	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:07.562211990 CET	60141	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:07.671633959 CET	60195	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:07.671746016 CET	60196	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:08.516457081 CET	62483	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:08.636944056 CET	62484	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:08.645102978 CET	62485	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:09.577831984 CET	62483	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:09.687239885 CET	62484	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:09.687355042 CET	62485	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:11.577848911 CET	62483	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:11.780982971 CET	62484	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:11.781266928 CET	62485	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:12.516741991 CET	64543	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:12.634015083 CET	64665	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:12.638298035 CET	64666	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:13.577836037 CET	64543	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:13.687243938 CET	64665	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:13.765429974 CET	64666	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:15.577847004 CET	64543	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:15.687237024 CET	64665	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:15.766309023 CET	64666	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:16.534532070 CET	50554	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:16.672319889 CET	50625	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:16.673686028 CET	50626	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:17.538872957 CET	50554	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:17.690242052 CET	50625	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:17.765347958 CET	50626	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:19.624206066 CET	50554	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:19.768578053 CET	50626	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:19.780976057 CET	50625	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:20.548131943 CET	52853	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:20.681823015 CET	52929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:20.684046030 CET	52930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:21.562237024 CET	52853	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:21.709225893 CET	52929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:21.876528978 CET	52930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:23.580322981 CET	52853	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:23.781024933 CET	52929	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:23.968539000 CET	52930	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:24.568712950 CET	53319	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:24.716173887 CET	53322	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:24.718379021 CET	53324	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:25.562263012 CET	53319	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:25.719820023 CET	53324	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:25.874742031 CET	53322	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:27.562262058 CET	53319	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:27.781001091 CET	53324	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:27.874754906 CET	53322	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:31.562237024 CET	53319	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:31.781002045 CET	53324	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:31.890392065 CET	53322	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:39.577877045 CET	53319	23588	192.168.2.4	107.160.131.254
Nov 19, 2024 13:22:39.781032085 CET	53324	80	192.168.2.4	202.108.0.52
Nov 19, 2024 13:22:39.890389919 CET	53322	23588	192.168.2.4	107.160.131.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:18:44.119891882 CET	60907	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:18:44.651799917 CET	53	60907	1.1.1.1	192.168.2.4
Nov 19, 2024 13:18:48.267229080 CET	56919	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:18:48.798772097 CET	53	56919	1.1.1.1	192.168.2.4
Nov 19, 2024 13:18:50.660502911 CET	49464	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:18:51.094892025 CET	53	49464	1.1.1.1	192.168.2.4
Nov 19, 2024 13:18:53.506879091 CET	59903	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:18:54.068568945 CET	53	59903	1.1.1.1	192.168.2.4
Nov 19, 2024 13:18:58.204327106 CET	62431	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:18:58.733843088 CET	53	62431	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:03.393507957 CET	49523	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:03.404277086 CET	53	49523	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:08.251753092 CET	59076	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:08.767483950 CET	53	59076	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:13.203535080 CET	53569	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:13.210664988 CET	53	53569	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:18.222940922 CET	51508	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:18.741583109 CET	53	51508	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:23.263957024 CET	53821	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:23.272671938 CET	53	53821	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:28.234705925 CET	56145	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:28.758327961 CET	53	56145	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:33.244900942 CET	60160	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:33.252099037 CET	53	60160	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:38.203547001 CET	64475	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:38.742898941 CET	53	64475	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:43.469425917 CET	50510	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:43.477853060 CET	53	50510	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:48.172313929 CET	63338	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:48.689483881 CET	53	63338	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:51.629317999 CET	55393	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:52.128176928 CET	53	55393	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:53.203690052 CET	50340	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:53.768621922 CET	53	50340	1.1.1.1	192.168.2.4
Nov 19, 2024 13:19:58.188425064 CET	60006	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:19:58.992417097 CET	53	60006	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:03.174535036 CET	63987	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:03.686950922 CET	53	63987	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:08.190300941 CET	53341	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:08.706626892 CET	53	53341	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:13.198071003 CET	53138	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:13.205178022 CET	53	53138	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:18.173748016 CET	59370	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:18.746479034 CET	53	59370	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:23.182076931 CET	52980	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:23.959041119 CET	53	52980	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:28.171667099 CET	52610	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:28.976007938 CET	53	52610	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:33.171930075 CET	58462	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:33.179172993 CET	53	58462	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:38.174482107 CET	51162	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:38.879429102 CET	53	51162	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:43.173259974 CET	53959	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:43.739478111 CET	53	53959	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:48.174981117 CET	50708	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:48.182396889 CET	53	50708	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:52.260427952 CET	57030	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:52.957703114 CET	53	57030	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:53.172297001 CET	54700	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:53.855823040 CET	53	54700	1.1.1.1	192.168.2.4
Nov 19, 2024 13:20:58.175903082 CET	65533	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:20:58.183680058 CET	53	65533	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:03.174149990 CET	52966	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:03.775631905 CET	53	52966	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:08.172528028 CET	56142	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:08.180111885 CET	53	56142	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:13.172472000 CET	54671	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:13.690617085 CET	53	54671	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:18.198633909 CET	63617	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:18.722723007 CET	53	63617	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:23.173294067 CET	62788	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:23.180836916 CET	53	62788	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:28.182641029 CET	50870	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:28.699582100 CET	53	50870	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:33.172538042 CET	60989	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:33.835979939 CET	53	60989	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:38.172022104 CET	61452	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:38.751797915 CET	53	61452	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:43.172972918 CET	57493	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:43.740088940 CET	53	57493	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:48.174196005 CET	57385	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:48.772150993 CET	53	57385	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:52.587991953 CET	55262	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:52.977952957 CET	53	55262	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:53.183461905 CET	61280	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:53.190995932 CET	53	61280	1.1.1.1	192.168.2.4
Nov 19, 2024 13:21:58.173227072 CET	58842	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:21:58.707442999 CET	53	58842	1.1.1.1	192.168.2.4
Nov 19, 2024 13:22:03.172323942 CET	59882	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:22:03.179351091 CET	53	59882	1.1.1.1	192.168.2.4
Nov 19, 2024 13:22:08.172020912 CET	64292	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:22:08.818671942 CET	53	64292	1.1.1.1	192.168.2.4
Nov 19, 2024 13:22:13.198558092 CET	54619	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:22:13.747597933 CET	53	54619	1.1.1.1	192.168.2.4
Nov 19, 2024 13:22:18.177263021 CET	54594	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:22:18.696722031 CET	53	54594	1.1.1.1	192.168.2.4
Nov 19, 2024 13:22:23.282488108 CET	65436	53	192.168.2.4	1.1.1.1
Nov 19, 2024 13:22:23.289880991 CET	53	65436	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 13:18:44.119891882 CET	192.168.2.4	1.1.1.1	0xe893	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:48.267229080 CET	192.168.2.4	1.1.1.1	0xdb92	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:50.660502911 CET	192.168.2.4	1.1.1.1	0xf87e	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:53.506879091 CET	192.168.2.4	1.1.1.1	0xd91f	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:58.204327106 CET	192.168.2.4	1.1.1.1	0xa1c8	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:03.393507957 CET	192.168.2.4	1.1.1.1	0x7c1e	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:08.251753092 CET	192.168.2.4	1.1.1.1	0x6f80	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:13.203535080 CET	192.168.2.4	1.1.1.1	0x5076	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:18.222940922 CET	192.168.2.4	1.1.1.1	0x9031	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:23.263957024 CET	192.168.2.4	1.1.1.1	0x212a	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:28.234705925 CET	192.168.2.4	1.1.1.1	0x5015	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:33.244900942 CET	192.168.2.4	1.1.1.1	0x178	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:38.203547001 CET	192.168.2.4	1.1.1.1	0x68c6	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:43.469425917 CET	192.168.2.4	1.1.1.1	0x54bd	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:48.172313929 CET	192.168.2.4	1.1.1.1	0xd456	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:51.629317999 CET	192.168.2.4	1.1.1.1	0x17ad	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:53.203690052 CET	192.168.2.4	1.1.1.1	0x27a1	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:58.188425064 CET	192.168.2.4	1.1.1.1	0x4889	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:03.174535036 CET	192.168.2.4	1.1.1.1	0x9dfe	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:08.190300941 CET	192.168.2.4	1.1.1.1	0x487e	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:13.198071003 CET	192.168.2.4	1.1.1.1	0x6a2	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:18.173748016 CET	192.168.2.4	1.1.1.1	0xe71d	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:23.182076931 CET	192.168.2.4	1.1.1.1	0x5ce1	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:28.171667099 CET	192.168.2.4	1.1.1.1	0x9b4a	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:33.171930075 CET	192.168.2.4	1.1.1.1	0x3115	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:38.174482107 CET	192.168.2.4	1.1.1.1	0x9226	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:43.173259974 CET	192.168.2.4	1.1.1.1	0x39a4	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:48.174981117 CET	192.168.2.4	1.1.1.1	0x86dc	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:52.260427952 CET	192.168.2.4	1.1.1.1	0x7cd1	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:53.172297001 CET	192.168.2.4	1.1.1.1	0xbc8b	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:58.175903082 CET	192.168.2.4	1.1.1.1	0x8c3a	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:03.174149990 CET	192.168.2.4	1.1.1.1	0x5bbd	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:08.172528028 CET	192.168.2.4	1.1.1.1	0x2615	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:13.172472000 CET	192.168.2.4	1.1.1.1	0x1e9d	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:18.198633909 CET	192.168.2.4	1.1.1.1	0x88da	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:23.173294067 CET	192.168.2.4	1.1.1.1	0x6b10	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:28.182641029 CET	192.168.2.4	1.1.1.1	0x48a7	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:33.172538042 CET	192.168.2.4	1.1.1.1	0xc95c	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:38.172022104 CET	192.168.2.4	1.1.1.1	0x6e4b	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:43.172972918 CET	192.168.2.4	1.1.1.1	0x1c87	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:48.174196005 CET	192.168.2.4	1.1.1.1	0xc9a4	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:52.587991953 CET	192.168.2.4	1.1.1.1	0xb4a4	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:53.183461905 CET	192.168.2.4	1.1.1.1	0xbabd	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:58.173227072 CET	192.168.2.4	1.1.1.1	0xdf3b	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:03.172323942 CET	192.168.2.4	1.1.1.1	0xee55	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:08.172020912 CET	192.168.2.4	1.1.1.1	0xde1b	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:13.198558092 CET	192.168.2.4	1.1.1.1	0x3bd0	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:18.177263021 CET	192.168.2.4	1.1.1.1	0xc907	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:23.282488108 CET	192.168.2.4	1.1.1.1	0x51bd	Standard query (0)	host123.zz.am	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 13:18:44.651799917 CET	1.1.1.1	192.168.2.4	0xe893	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:48.798772097 CET	1.1.1.1	192.168.2.4	0xdb92	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:51.094892025 CET	1.1.1.1	192.168.2.4	0xf87e	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 13:18:51.094892025 CET	1.1.1.1	192.168.2.4	0xf87e	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:54.068568945 CET	1.1.1.1	192.168.2.4	0xd91f	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:18:58.733843088 CET	1.1.1.1	192.168.2.4	0xa1c8	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:03.404277086 CET	1.1.1.1	192.168.2.4	0x7c1e	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:08.767483950 CET	1.1.1.1	192.168.2.4	0x6f80	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:13.210664988 CET	1.1.1.1	192.168.2.4	0x5076	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:18.741583109 CET	1.1.1.1	192.168.2.4	0x9031	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:23.272671938 CET	1.1.1.1	192.168.2.4	0x212a	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:28.758327961 CET	1.1.1.1	192.168.2.4	0x5015	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:33.252099037 CET	1.1.1.1	192.168.2.4	0x178	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:38.742898941 CET	1.1.1.1	192.168.2.4	0x68c6	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:43.477853060 CET	1.1.1.1	192.168.2.4	0x54bd	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:48.689483881 CET	1.1.1.1	192.168.2.4	0xd456	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:52.128176928 CET	1.1.1.1	192.168.2.4	0x17ad	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 13:19:52.128176928 CET	1.1.1.1	192.168.2.4	0x17ad	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:53.768621922 CET	1.1.1.1	192.168.2.4	0x27a1	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:19:58.992417097 CET	1.1.1.1	192.168.2.4	0x4889	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:03.686950922 CET	1.1.1.1	192.168.2.4	0x9dfe	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:08.706626892 CET	1.1.1.1	192.168.2.4	0x487e	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:13.205178022 CET	1.1.1.1	192.168.2.4	0x6a2	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:18.746479034 CET	1.1.1.1	192.168.2.4	0xe71d	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:23.959041119 CET	1.1.1.1	192.168.2.4	0x5ce1	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:28.976007938 CET	1.1.1.1	192.168.2.4	0x9b4a	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:33.179172993 CET	1.1.1.1	192.168.2.4	0x3115	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:38.879429102 CET	1.1.1.1	192.168.2.4	0x9226	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:43.739478111 CET	1.1.1.1	192.168.2.4	0x39a4	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:48.182396889 CET	1.1.1.1	192.168.2.4	0x86dc	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:52.957703114 CET	1.1.1.1	192.168.2.4	0x7cd1	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 13:20:52.957703114 CET	1.1.1.1	192.168.2.4	0x7cd1	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:53.855823040 CET	1.1.1.1	192.168.2.4	0xbc8b	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:20:58.183680058 CET	1.1.1.1	192.168.2.4	0x8c3a	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:03.775631905 CET	1.1.1.1	192.168.2.4	0x5bbd	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:08.180111885 CET	1.1.1.1	192.168.2.4	0x2615	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:13.690617085 CET	1.1.1.1	192.168.2.4	0x1e9d	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:18.722723007 CET	1.1.1.1	192.168.2.4	0x88da	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:23.180836916 CET	1.1.1.1	192.168.2.4	0x6b10	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:28.699582100 CET	1.1.1.1	192.168.2.4	0x48a7	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:33.835979939 CET	1.1.1.1	192.168.2.4	0xc95c	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:38.751797915 CET	1.1.1.1	192.168.2.4	0x6e4b	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:43.740088940 CET	1.1.1.1	192.168.2.4	0x1c87	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:48.772150993 CET	1.1.1.1	192.168.2.4	0xc9a4	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:52.977952957 CET	1.1.1.1	192.168.2.4	0xb4a4	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 13:21:52.977952957 CET	1.1.1.1	192.168.2.4	0xb4a4	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:53.190995932 CET	1.1.1.1	192.168.2.4	0xbabd	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:21:58.707442999 CET	1.1.1.1	192.168.2.4	0xdf3b	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:03.179351091 CET	1.1.1.1	192.168.2.4	0xee55	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:08.818671942 CET	1.1.1.1	192.168.2.4	0xde1b	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:13.747597933 CET	1.1.1.1	192.168.2.4	0x3bd0	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:18.696722031 CET	1.1.1.1	192.168.2.4	0xc907	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:22:23.289880991 CET	1.1.1.1	192.168.2.4	0x51bd	Name error (3)	host123.zz.am	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll"
Imagebase:	0xbe0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,DoAddToFavDlg
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",#1
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:18:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xdf0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:18:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,InputFile
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:18:24
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Vb1S2HJcnN.dll,PrintFile
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:18:24
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7540 -s 676
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",InputFile
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Vb1S2HJcnN.dll",PrintFile
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7780, Parent PID: 7740

General

Target ID:	18
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xdf0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:18:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 668
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:18:51
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:18:51
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1216, Parent PID: 3168

General

Target ID:	26
Start time:	07:18:51
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:18:51
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xdf0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:18:59
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\Vb1S2HJcnN.dll",DoAddToFavDlg
Imagebase:	0xbe0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7776, Parent PID: 7292

General

Target ID:	29
Start time:	07:18:59
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7876, Parent PID: 7776

General

Target ID:	30
Start time:	07:18:59
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:18:59
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xdf0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	99.6%
Signature Coverage:	1.2%
Total number of Nodes:	251
Total number of Limit Nodes:	10

Executed Functions

Function 10007F3E Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 10007FCF
12010043, xrefs: 1000805B
%s\%s, xrefs: 10008067
P, xrefs: 100080F7
NPKI, xrefs: 1000802C
L2ltYWdlLnBocA==, xrefs: 1000818B
*.*, xrefs: 10007F8C
107.160.131.254:23588/article.php, xrefs: 10008113

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$12010043$L2ltYWdlLnBocA==$NPKI$P
API String ID: 0-3984435826
Opcode ID: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
Opcode Fuzzy Hash: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61

Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12

Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F24
Sleep.KERNEL32 ref: 10007059
wsprintfA.USER32 ref: 1000709D
PrintFile.VB1S2HJCNN(00000000,?,00000000), ref: 100070D6
PrintFile.VB1S2HJCNN(00000000,?,00000000,?,00000000), ref: 100070E9

Strings

c:\1.txt, xrefs: 10007047
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F79
QVNEU3ZjLmV4ZQ==, xrefs: 10006EEE
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006F90
http://107.160.131.254:23588/article.php, xrefs: 10007007
iOffset, xrefs: 10007042
QVlSVFNydi5heWU=, xrefs: 10006EFA

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FilePrintSleep$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
API String ID: 1547040302-3813294871
Opcode ID: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
Opcode Fuzzy Hash: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55

Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 100064F7

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006546

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39

Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,74DF0ECC,0007D000,00000000,00000000), ref: 100065C8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,74DF0ECC,0007D000,00000000,00000000), ref: 100065E6
wsprintfA.USER32 ref: 100066E9

Strings

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000651A
title, xrefs: 10006647, 1000664C, 10006655
aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==, xrefs: 100064DF

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
API String ID: 4077377486-2496724313
Opcode ID: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
Opcode Fuzzy Hash: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1

Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Strings

ProcessorNameString, xrefs: 10005E02
12010043, xrefs: 10005E8F
%u MB, xrefs: 10005E7E
Find CPU Error, xrefs: 10005E36
http://107.160.131.254:23588/article.php, xrefs: 10005EF8
@, xrefs: 10005E57
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
API String ID: 271660946-3893357082
Opcode ID: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
Opcode Fuzzy Hash: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55

Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

wsprintfA.USER32 ref: 10006D88
___crtGetTimeFormatEx.LIBCMT ref: 10006DAE

Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,dtfd,00000000,00000001,?,00000001,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Strings

dtfd, xrefs: 10006DA6
REG_SZ, xrefs: 10006D44
C:\Users\user\Desktop\Vb1S2HJcnN.dll, xrefs: 10006D26, 10006D2C, 10006D71
C:\Windows\SysWOW64\rundll32.exe, xrefs: 10006D77
%s "%s",DoAddToFavDlg, xrefs: 10006D82
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",DoAddToFavDlg$C:\Users\user\Desktop\Vb1S2HJcnN.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
API String ID: 1762869224-2962379768
Opcode ID: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
Opcode Fuzzy Hash: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4

Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
wsprintfA.USER32 ref: 100083E6

Strings

XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
8.8.8.8, xrefs: 100083EF
127.0.0.1, xrefs: 100083F4
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
http://107.160.131.254:23588/article.php, xrefs: 10008353
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
API String ID: 1749205058-626475063
Opcode ID: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
Opcode Fuzzy Hash: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51

Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006AA8

Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546

Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1

Strings

0x5d65r455f, xrefs: 10006A97
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
String ID: 0x5d65r455f$5762479093
API String ID: 3244495550-2446933972
Opcode ID: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
Opcode Fuzzy Hash: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3

Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710), ref: 1000857E
Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF

Strings

aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008580
D, xrefs: 10008612
wINsTA0\dEFauLT, xrefs: 1000862C

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
API String ID: 3472027048-3516831565
Opcode ID: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
Opcode Fuzzy Hash: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91

Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 100044E9
GetExtendedUdpTable.IPHLPAPI(?,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 10004513

Strings

GetExtendedUdpTable, xrefs: 100044CA
iphlpapi.dll, xrefs: 100044BC

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable
String ID: GetExtendedUdpTable$iphlpapi.dll
API String ID: 2407854163-1809394930
Opcode ID: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
Instruction ID: 6449560a486cb6172ee975f2d37c1f40bf8993c7a1880d61e14318031523e361
Opcode Fuzzy Hash: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
Instruction Fuzzy Hash: D1215CB5500508BFEB20DB69DC46EAF77BCDF813D1F214519F9119A086DE30AE808674

Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C

Strings

U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
svchsot.exe, xrefs: 10008524

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
API String ID: 3472027048-2214221337
Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1

Function 100087B6 Relevance: 6.0, APIs: 4, Instructions: 27
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
CreateThread.KERNEL32(?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
Sleep.KERNEL32(000000FF,?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E8

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateSleepThread
String ID:
API String ID: 4202482776-0
Opcode ID: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
Instruction ID: 2df9746d7e78e8372c6e87ac4aa0691d1060a96339f5c4ce5d4c7b8b7a8da0f8
Opcode Fuzzy Hash: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
Instruction Fuzzy Hash: 46E05EE024435DBDF321B2791CC8DFF1E0DEB812FCB254252F528100CB6A540D048AB2

Function 10006B1F Relevance: 4.6, APIs: 3, Instructions: 122
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006B55
CreateThread.KERNEL32(?,?,1000687E), ref: 10006B6B
Sleep.KERNEL32(00002710,?,00000000,00000000,000000FF,?,?,1000687E), ref: 10006B88

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexSleepThread
String ID:
API String ID: 145085098-0
Opcode ID: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
Instruction ID: 4f35827bfa7b5ea93410d600da94e256639eda4c8ceaa52b9f8b13dee9a51c26
Opcode Fuzzy Hash: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
Instruction Fuzzy Hash: 463182714043905EF716DB284C45EA7BFAEDF5A390B14416AF8A5CB287D620D941C771

Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 100071AC
wsprintfA.USER32 ref: 100071FE

Strings

http://107.160.131.254:23588/article.php, xrefs: 1000716B

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: http://107.160.131.254:23588/article.php
API String ID: 1749205058-3833642815
Opcode ID: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
Instruction ID: aabc6cc0ccec88c78b37051fa20fdae4f9ca8aa4d7268392f08ad21868547801
Opcode Fuzzy Hash: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
Instruction Fuzzy Hash: 462129B6D046557AF724D368CC56FCF37ACEF053D0F2000A6F608A50C6E679AE818A11

Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006201

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
Opcode Fuzzy Hash: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660

Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 100062BF

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen$FormatTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 1165476586-1918919809
Opcode ID: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
Opcode Fuzzy Hash: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5

Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0036EE80), ref: 10008264

Strings

C:\Program Files, xrefs: 10008200

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
Instruction ID: c9703108929f2dc2805788eab40c91aa3f5a92b87bc929f4f41ff718cce9746c
Opcode Fuzzy Hash: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
Instruction Fuzzy Hash: 40F0723A905AA1A6F701DFA409C068B776DFF022A0B210026F840BF047C7B18E0243E2

Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91

Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1

Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95

Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02

Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12

Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(00000000,00000000), ref: 1000410C

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12

Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000000), ref: 1000411D

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12

Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?,1000824C,10015940), ref: 1000400E

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01

Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01

Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(00000000), ref: 10003EB8

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
Instruction ID: ddc175de635f80408d7ee48a1059bf0ffdd1ba2c9e36570999931cb834b2f0bc
Opcode Fuzzy Hash: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
Instruction Fuzzy Hash: F7900270545110ABDE015B21CF4A4097A61AB85B01B048454E14940031C7318810EA12

Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01

Non-executed Functions

Function 1000B224 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

K, xrefs: 1000B246

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction ID: 6c5504f13a17a8b4553fb93f6e314e3eb43bbcef24ba1366296fc093faca9512
Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction Fuzzy Hash: 13D1F2311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771

Function 1000AEC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

K, xrefs: 1000AEE2

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction ID: a9c7f45465d92fcd6248bf8d3b75336943ce7982e690b294f387925eaf45448f
Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction Fuzzy Hash: 6F9143311046896EDB21CFAD8C80EFFBBBCAF06A40F840549FE85C7642D255E92DA771

Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?), ref: 10003F51

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02

Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02

Function 100121ED Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

', xrefs: 100121FC

Memory Dump Source

Source File: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 5e1b7fa75d798f3fa9518893cf7255a08fd4602d24c853d58b87a38f934e217c
Instruction ID: f389f15fd0a8877f73eb6a91fb6ffbaafb7a2d8a217a3cbe01a0a4cb358a3832
Opcode Fuzzy Hash: 5e1b7fa75d798f3fa9518893cf7255a08fd4602d24c853d58b87a38f934e217c
Instruction Fuzzy Hash: 5581276940E3D19FC7438B785CF91823FA2AE1B24434F09DAC4C09F4B7E1995D49C7A2

Function 1000B70D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction ID: 9e0b5d620d62c11970e9cc848d1ca02f4ed839136e4bfa4bb83daef4b24ba54e
Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction Fuzzy Hash: AA313A33E2C6B607E324DF7E4C84025F7D6EB8A06275A8779DE88E7255D128EC518BD0

Function 10008AAD Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
Instruction ID: 9deb1ace0ade157a7cf376dc79b16b2541233208deadd1a3cef8bf08dc3f5488
Opcode Fuzzy Hash: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
Instruction Fuzzy Hash: 43F0682128E3C15DE30186685441BC1FF846B76314F0CC7CDB1D40B283C1954084CBA6

Function 1001E1FE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
Instruction ID: f0cb1bca0584f7cb9865d2b0003cd1252f49916ae924d73bcd8c513b2b9b2d6d
Opcode Fuzzy Hash: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
Instruction Fuzzy Hash: 11E0E5A440C38AFEC703AB3488840E93FA6EE91310F04840CF4C403A02E3B589A09332

Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
VariantInit.OLEAUT32(?), ref: 1000734D
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
VariantInit.OLEAUT32(?), ref: 10007377

Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
VariantInit.OLEAUT32(?), ref: 10007513

Strings

SetDNSServerSearchOrder, xrefs: 1000749B, 1000755F
Win32_NetworkAdapterConfiguration, xrefs: 1000722B
DNSServerSearchOrder, xrefs: 10007519
DefaultIPGateway, xrefs: 1000737C
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072A7
GatewayCostMetric, xrefs: 100073BE
IPEnabled=TRUE, xrefs: 10007226
Index, xrefs: 1000725D
SetGateways, xrefs: 100072F1, 100073F7
p=<u, xrefs: 1000733A, 10007513

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=<u
API String ID: 2640012081-3655912496
Opcode ID: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
Opcode Fuzzy Hash: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1

Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 81COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

C:\Users\user\Desktop, xrefs: 100059D7, 100059DD, 100059E5, 100059F0, 100059FD
12010043, xrefs: 1000599D, 100059A3
M%s, xrefs: 10005A0F
Mhost123.zz.am:6658, xrefs: 10005A14
%s\version.txt, xrefs: 100059FE
C:\Users\user\Desktop\12010043, xrefs: 100059F6
ECF4BBEA1588, xrefs: 10005A4B
C:\Users\user\Desktop\version.txt, xrefs: 10005A03
%s\%s, xrefs: 100059F1
12010043, xrefs: 100059A9
C:\Users\user\Desktop\Vb1S2HJcnN.dll, xrefs: 100059C9, 100059CE, 100059DC
host123.zz.am:6658, xrefs: 10005A0A
C:\Windows\SysWOW64\rundll32.exe, xrefs: 100059BF

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$12010043$12010043$C:\Users\user\Desktop$C:\Users\user\Desktop\12010043$C:\Users\user\Desktop\Vb1S2HJcnN.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BBEA1588$M%s$Mhost123.zz.am:6658$host123.zz.am:6658
API String ID: 2111968516-2065402243
Opcode ID: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
Opcode Fuzzy Hash: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72

Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(?), ref: 10004ED1
VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 10005009
VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 1000500F

Strings

ProcessID, xrefs: 10004F0C
svchost.exe, xrefs: 10004F6F
Name, xrefs: 10004EE2
WQL, xrefs: 10004E42
SELECT * FROM , xrefs: 10004DEA
CommandLine, xrefs: 10004EF7
p=<u, xrefs: 10004E9C
svchost.exe -k NetworkService, xrefs: 10004FE0

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=<u$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-3501905436
Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000574F
wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.VB1S2HJCNN(?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000,?,1000720C), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,00000000), ref: 10005835

Strings

c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
Win32_process, xrefs: 100057ED
%s\%s, xrefs: 10005749
ROOT\CIMv2, xrefs: 100057F2
c:\windows\system32\drivers\%s, xrefs: 100057AB

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 1788855648-1421401311
Opcode ID: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
Opcode Fuzzy Hash: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91

Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10005437
wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.VB1S2HJCNN(?,?,10016594,?,00000000), ref: 100054DE
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,00000000,75BF8400,?,40000000,00000001,00000000,00000002,00000000,00000000,7598C650,?,?,00000009,00000000,10016594), ref: 100055AE

Strings

%s\%s, xrefs: 10005431
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
c:\windows\system32\drivers\%s, xrefs: 10005498

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
API String ID: 518940211-4228670124
Opcode ID: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
Opcode Fuzzy Hash: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50

Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,cmd.exe), ref: 100043A6
Sleep.KERNEL32(000003E8), ref: 100043E5

Strings

QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==, xrefs: 100043BF
cmd.exe, xrefs: 1000435C, 10004362, 10004370
self, xrefs: 1000437E
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==, xrefs: 100043A8, 100043AD, 100043CB

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
API String ID: 3472027048-2620343502
Opcode ID: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
Instruction ID: 2962837d3e63ffe82077fec71eea4cc39f059f6aab2461bdb2792d37a05628b4
Opcode Fuzzy Hash: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
Instruction Fuzzy Hash: 370126BA000394BAFB12BB74EC46F9E3B5CDF452E2F120016F9446D086CEB5AA804565

Function 10005F15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?,000000BC,00000000,?,00000128,00000000), ref: 10005F21

Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,00000000,00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?), ref: 10004132

Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD

___crtGetTimeFormatEx.LIBCMT ref: 10005F79

Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(00000000,00000010,?,00000000,00000000,10005F7E,?,10005F7E,00000000,00000000,?,00000010,00000000,00000000), ref: 10004064

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4

Strings

C:\Users\user\Desktop, xrefs: 10005FA3
%s\lang.ini, xrefs: 10005FAE

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3793502078-1738621931
Opcode ID: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
Opcode Fuzzy Hash: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1

Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

C:\Users\user\Desktop, xrefs: 10005D16
http://, xrefs: 10005D87
%s\lang.ini, xrefs: 10005D26
search, xrefs: 10005D9B

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-2283769073
Opcode ID: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
Opcode Fuzzy Hash: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60

Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

C:\Users\user\Desktop, xrefs: 10005C6B
http://, xrefs: 10005CDC
%s\lang.ini, xrefs: 10005C7B

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-2510504628
Opcode ID: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
Opcode Fuzzy Hash: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10008824
Sleep.KERNEL32(000007D0,?,?), ref: 10008845

Strings

C:\Users\user\Desktop, xrefs: 1000880B
Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
API String ID: 1749205058-3359968284
Opcode ID: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
Instruction ID: cb8f3af107b47666e7401f40fe0349a9d09f1feb376e898973d7629cffdb37cc
Opcode Fuzzy Hash: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
Instruction Fuzzy Hash: 00F0AEF250019DABEB15CBA4CC857EA3768FF04285F040975F705F5051DBB19AC44A55

Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 10007AA1

Strings

, xrefs: 10007B0D
p=<u, xrefs: 10007AA1

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: $p=<u
API String ID: 1927566239-2520713026
Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61

Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4

Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D

Strings

C:\Users\user\Desktop, xrefs: 10005FA3
%s\lang.ini, xrefs: 10005FAE

Memory Dump Source

Source File: 00000003.00000002.4203226496.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4203200212.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203265128.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203306292.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203338072.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203372330.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4203418013.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueue
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3486561800-1738621931
Opcode ID: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
Instruction ID: 2e9b22e8cb94d114ab57fa925500967999958ebf182bde47e5e7f2d31677baea
Opcode Fuzzy Hash: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
Instruction Fuzzy Hash: 23E0687290112432E670D1669C07FCF3E9CDB857F4F000220B688E60C4DAB4AAC4C6E0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Vb1S2HJcnN.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\1.txt

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_e1e1aca2-3cd9-473d-81e1-bc7a46e9e26e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_568bb817-f66d-436b-80f0-4346d190c4a8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8679.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8754.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8794.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9250.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER92ED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER930D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
Vb1S2HJcnN.dll

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre