Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
81mieek02V.dll

Overview

General Information

Sample name:81mieek02V.dll
renamed because original name is a hash value
Original sample name:9f79ed51c51057b765256f856cd3690737c98fce.dll
Analysis ID:1558404
MD5:703dd9fac2280e224a1949db0cf545a3
SHA1:9f79ed51c51057b765256f856cd3690737c98fce
SHA256:5397c40c0f4bbe1b202069a612b03dac27a0c33eeec7ac97df264b9afbb84da4
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
PE file has a writeable .text section
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7516 cmdline: loaddll32.exe "C:\Users\user\Desktop\81mieek02V.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7572 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7664 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 7720 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 7580 cmdline: rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7848 cmdline: rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7876 cmdline: rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8156 cmdline: rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7192 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 6032 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 8164 cmdline: rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8172 cmdline: rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 6720 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 6464 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2384 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 7692 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 7700 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7636 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
81mieek02V.dllWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3b77e:$x1: cracked by ximo
  • 0x3b838:$x1: cracked by ximo
  • 0x3b8f2:$x1: cracked by ximo
  • 0x3b9ac:$x1: cracked by ximo
  • 0x3ba66:$x1: cracked by ximo
  • 0x3bb20:$x1: cracked by ximo
  • 0x3bbda:$x1: cracked by ximo
  • 0x3bc94:$x1: cracked by ximo
  • 0x402d6:$x1: cracked by ximo
  • 0x43d1b:$x1: cracked by ximo

Unpacked PEs

SourceRuleDescriptionAuthorStrings
11.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3b77e:$x1: cracked by ximo
  • 0x3b838:$x1: cracked by ximo
  • 0x3b8f2:$x1: cracked by ximo
  • 0x3b9ac:$x1: cracked by ximo
  • 0x3ba66:$x1: cracked by ximo
  • 0x3bb20:$x1: cracked by ximo
  • 0x3bbda:$x1: cracked by ximo
  • 0x3bc94:$x1: cracked by ximo
  • 0x402d6:$x1: cracked by ximo
  • 0x43d1b:$x1: cracked by ximo
3.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3b77e:$x1: cracked by ximo
  • 0x3b838:$x1: cracked by ximo
  • 0x3b8f2:$x1: cracked by ximo
  • 0x3b9ac:$x1: cracked by ximo
  • 0x3ba66:$x1: cracked by ximo
  • 0x3bb20:$x1: cracked by ximo
  • 0x3bbda:$x1: cracked by ximo
  • 0x3bc94:$x1: cracked by ximo
  • 0x402d6:$x1: cracked by ximo
  • 0x43d1b:$x1: cracked by ximo
19.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3b77e:$x1: cracked by ximo
  • 0x3b838:$x1: cracked by ximo
  • 0x3b8f2:$x1: cracked by ximo
  • 0x3b9ac:$x1: cracked by ximo
  • 0x3ba66:$x1: cracked by ximo
  • 0x3bb20:$x1: cracked by ximo
  • 0x3bbda:$x1: cracked by ximo
  • 0x3bc94:$x1: cracked by ximo
  • 0x402d6:$x1: cracked by ximo
  • 0x43d1b:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7580, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtfd

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 81mieek02V.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 81mieek02V.dllReversingLabs: Detection: 78%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: 81mieek02V.dllJoe Sandbox ML: detected
Source: 81mieek02V.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000003.00000003.1820773335.00000000009EB000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,3_2_10007F3E
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDomain query: host123.zz.am
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.160.131.253 ports 1,5,6,8,9,18659
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.8:49705 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.8:49706 -> 107.160.131.253:18659
Source: global trafficTCP traffic: 192.168.2.8:49740 -> 107.160.131.254:23588
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: global trafficTCP traffic: 192.168.2.8:49766 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003F41 InternetReadFile,3_2_10003F41
Source: global trafficDNS traffic detected: DNS query: host123.zz.am
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3105438873.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424148455.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllString found in binary or memory: http://107.160.131.253:18659/
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWnd
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndm
Source: rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3105438873.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424148455.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllString found in binary or memory: http://107.160.131.254:23588/article.php
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php$
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php-
Source: rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php.
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php0
Source: rundll32.exe, 00000003.00000002.3900645695.000000000560D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3900881412.000000000582A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpC:
Source: rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpK
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpP_W
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpR
Source: rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpU
Source: rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpWindows
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpX
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpa6
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpd
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpo
Source: rundll32.exe, 00000003.00000003.2062100348.00000000009FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpop
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpsi
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpt
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpttings
Source: rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpuiL
Source: rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpv
Source: rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpx/3.6.15
Source: rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpy
Source: rundll32.exe, 00000003.00000002.3900572308.000000000558D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.13I
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000003.00000002.3898385688.0000000004A8D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530u1129.html
Source: rundll32.exe, 00000003.00000002.3903332167.0000000006993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000002.3900984971.00000000059FD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000003.00000003.2262195935.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2262409750.00000000009FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ktop
Source: rundll32.exe, 00000003.00000003.2666331827.00000000009F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093n4
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000092A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: rundll32.exe, 00000003.00000002.3885950674.000000000092A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093zj
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093~V
Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3106003483.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424235070.000000001003D000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllString found in binary or memory: http://www.rsac.org/ratingsv01.html

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 81mieek02V.dll, type: SAMPLEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 19.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
PE file has a writeable .text section
Source: 81mieek02V.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008AAD: DeviceIoControl,3_2_10008AAD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003F63 ExitWindowsEx,3_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B2243_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B70D3_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100121ED3_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000AEC03_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 305 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 672
Source: 81mieek02V.dllBinary or memory string: OriginalFilenamejscript.dllL vs 81mieek02V.dll
Source: 81mieek02V.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: 81mieek02V.dll, type: SAMPLEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 81mieek02V.dllStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@42/10@49/5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000404F AdjustTokenPrivileges,3_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003FB7 CreateToolhelp32Snapshot,3_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12010043Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\host123.zz.am:6658
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1152:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Mhost123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8172
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7876
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\00987261-4711-47d5-a380-5cd68794a3acJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,DoAddToFavDlg
Source: 81mieek02V.dllReversingLabs: Detection: 78%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\81mieek02V.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,DoAddToFavDlg
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 672
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 668
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000003.00000003.1820773335.00000000009EB000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003900A push dword ptr [esp+4Ch]; retn 0050h3_2_1003901C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027023 push dword ptr [esp+18h]; retn 001Ch3_2_1002A254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F024 push dword ptr [esp+14h]; retn 0018h3_2_1002F036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10029029 push dword ptr [esp+38h]; retn 003Ch3_2_10027C71
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10029029 pushad ; mov dword ptr [esp], 73E57D1Ah3_2_10029046
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003B02D push dword ptr [esp+50h]; retn 0054h3_2_1003B061
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F039 push esp; mov dword ptr [esp], B1CF2C6Dh3_2_1002F051
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F039 push dword ptr [esp+50h]; retn 0054h3_2_1002F068
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035048 push dword ptr [esp+50h]; retn 0054h3_2_100351D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033059 push dword ptr [esp+50h]; retn 0054h3_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033064 push dword ptr [esp+50h]; retn 0054h3_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D06D push dword ptr [esp+38h]; retn 003Ch3_2_1002D08D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10031079 push dword ptr [esp+30h]; retn 0034h3_2_10031095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027080 push ebp; mov dword ptr [esp], edx3_2_1002FD0B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027080 push dword ptr [esp+04h]; retn 0008h3_2_1002FD4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023085 push dword ptr [esp+38h]; retn 003Ch3_2_10023093
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023096 push dword ptr [esp+50h]; retn 0054h3_2_100230B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100330A5 push dword ptr [esp+2Ch]; retn 0030h3_2_1002B78C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100330A5 push dword ptr [esp+04h]; retn 0008h3_2_1003B2DF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100230B6 push dword ptr [esp+34h]; retn 0038h3_2_1002F874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100270BA push dword ptr [esp+34h]; retn 0038h3_2_1002AD33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250BC push dword ptr [esp+44h]; retn 0048h3_2_1003408E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F0D4 push dword ptr [esp+0Ch]; retn 0014h3_2_1002F0EF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h3_2_100282E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h3_2_100338DA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100350D9 push dword ptr [esp+50h]; retn 0054h3_2_10035102
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250D9 push dword ptr [esp+14h]; retn 0018h3_2_100250F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002B0E4 push dword ptr [esp+48h]; retn 004Ch3_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D0EF push dword ptr [esp+10h]; retn 0014h3_2_1002D116
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002B0EF push dword ptr [esp+48h]; retn 004Ch3_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10039107 push dword ptr [esp+4Ch]; retn 0050h3_2_10039116

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-17259
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001E1FE rdtsc 3_2_1001E1FE
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 369Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 5413Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep count: 369 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep time: -664200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3284Thread sleep count: 33 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3284Thread sleep time: -330000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7844Thread sleep count: 33 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7584Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3032Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7096Thread sleep time: -2340000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1280Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4472Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7540Thread sleep time: -2700000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3276Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep count: 5413 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep time: -9743400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,3_2_10007F3E
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: VMware
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: vmci.sys
Source: rundll32.exe, 00000003.00000003.1730291364.0000000000857000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
Source: rundll32.exe, 00000003.00000002.3884846057.000000000056B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHoP
Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: VMware20,1
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ons\\VMwareHostO
Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000003.00000002.3893503666.000000000463B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Applications\\VMwareHostOpen.exe
Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001E1FE rdtsc 3_2_1001E1FE

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDomain query: host123.zz.am
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping31
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		111
Process Injection		31
Virtualization/Sandbox Evasion		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Remote System Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Rundll32		DCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem111
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558404 Sample: 81mieek02V.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 59 host123.zz.am 2->59 61 blogx.sina.com.cn 2->61 63 blog.sina.com.cn 2->63 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 4 other signatures 2->91 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 cmd.exe 1 10->16         started        19 rundll32.exe 1 14 10->19         started        22 rundll32.exe 10->22         started        28 5 other processes 10->28 24 cmd.exe 12->24         started        26 cmd.exe 14->26         started        dnsIp6 73 Uses ping.exe to sleep 16->73 75 Uses ping.exe to check the status of other devices and networks 16->75 30 rundll32.exe 16->30         started        65 host123.zz.am 19->65 67 107.163.56.110, 18530 TAKE2US United States 19->67 69 3 other IPs or domains 19->69 77 System process connects to network (likely due to code injection or exploit) 19->77 79 Found evasive API chain (may stop execution after checking mutex) 19->79 81 Creates an autostart registry key pointing to binary in C:\Windows 19->81 83 Queries disk data (e.g. SMART data) 22->83 33 cmd.exe 22->33         started        35 conhost.exe 24->35         started        37 PING.EXE 24->37         started        39 conhost.exe 26->39         started        41 PING.EXE 26->41         started        43 WerFault.exe 20 16 28->43         started        45 WerFault.exe 28->45         started        signatures7 process8 signatures9 93 Queries disk data (e.g. SMART data) 30->93 47 cmd.exe 1 30->47         started        95 Uses ping.exe to sleep 33->95 50 conhost.exe 33->50         started        52 PING.EXE 33->52         started        process10 signatures11 97 Uses ping.exe to sleep 47->97 54 PING.EXE 1 47->54         started        57 conhost.exe 47->57         started        process12 dnsIp13 71 127.0.0.1 unknown unknown 54->71

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
81mieek02V.dll79%ReversingLabsWin32.Backdoor.Farfli
81mieek02V.dll100%AviraTR/Crypt.PEPM.Gen
81mieek02V.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.160.131.254:23588/article.phpK0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpsi0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpttings0%Avira URL Cloudsafe
http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWnd0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpC:0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpv0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpx/3.6.150%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpop0%Avira URL Cloudsafe
http://107.163.56.110:18530u1129.html0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpP_W0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpuiL0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpt0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php.0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpa60%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpy0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php00%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php-0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpo0%Avira URL Cloudsafe
http://www.rsac.org/ratingsv01.html0%Avira URL Cloudsafe
http://107.160.13I0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpX0%Avira URL Cloudsafe
http://107.160.131.253:18659/0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpd0%Avira URL Cloudsafe
http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndm0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php$0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpWindows0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpR0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpU0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    host123.zz.am
    		unknown
    		unknowntrue
      		unknown
      blog.sina.com.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://107.160.131.254:23588/article.phprundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3105438873.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424148455.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.160.131.254:23588/article.phpx/3.6.15rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.160.131.254:23588/article.phpKrundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://blog.sina.com.cn/u/5762479093~Vrundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://107.160.131.254:23588/article.phpttingsrundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpC:rundll32.exe, 00000003.00000002.3900645695.000000000560D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3900881412.000000000582A000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpsirundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.163.56.110:18530/u1129.htmlrundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndrundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://upx.sf.netAmcache.hve.14.drfalse
            		high
            http://107.160.131.254:23588/article.phpoprundll32.exe, 00000003.00000003.2062100348.00000000009FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://blog.sina.com.cn/u/%srundll32.exe, 00000003.00000002.3903332167.0000000006993000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000003.00000002.3900984971.00000000059FD000.00000004.00000010.00020000.00000000.sdmpfalse
                		high
                http://107.160.131.254:23588/article.phpvrundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phpyrundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.110:18530u1129.htmlrundll32.exe, 00000003.00000002.3898385688.0000000004A8D000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phpuiLrundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phptrundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phpa6rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phporundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.php.rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.php0rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.php-rundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://blog.sina.com.cn/u/5762479093n4rundll32.exe, 00000003.00000003.2666331827.00000000009F9000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://107.160.131.254:23588/article.phpP_Wrundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.rsac.org/ratingsv01.htmlrundll32.exe, rundll32.exe, 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3106003483.000000001003D000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424235070.000000001003D000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.160.131.253:18659/rundll32.exe, rundll32.exe, 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3105438873.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.3424148455.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 81mieek02V.dllfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.160.131.254:23588/article.php$rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.160.131.254:23588/article.phpdrundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://blog.sina.com.cn/u/5762479093zrundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000092A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndmrundll32.exe, 00000003.00000002.3885950674.000000000093E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2348218877.0000000000949000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blog.sina.com.cn/u/5762479093ktoprundll32.exe, 00000003.00000003.2262195935.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2262409750.00000000009FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://107.160.13Irundll32.exe, 00000003.00000002.3900572308.000000000558D000.00000004.00000010.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.phpXrundll32.exe, 00000003.00000003.2348218877.000000000098E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://blog.sina.com.cn/u/5762479093zjrundll32.exe, 00000003.00000002.3885950674.000000000092A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://107.160.131.254:23588/article.phpRrundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://107.160.131.254:23588/article.phpUrundll32.exe, 00000003.00000003.3145080967.000000000099B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1821029258.000000000099C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://107.160.131.254:23588/article.phpWindowsrundll32.exe, 00000003.00000002.3885950674.000000000098E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        202.108.0.52
                        		blogx.sina.com.cnChina
                        		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                        107.163.56.110
                        		unknownUnited States
                        		20248TAKE2UStrue
                        107.160.131.253
                        		unknownUnited States
                        		40676AS40676UStrue
                        107.160.131.254
                        		unknownUnited States
                        		40676AS40676UStrue

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1558404
                        Start date and time:2024-11-19 13:21:59 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 50s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:37
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:81mieek02V.dll
                        renamed because original name is a hash value
                        Original Sample Name:9f79ed51c51057b765256f856cd3690737c98fce.dll
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winDLL@42/10@49/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 93%
                        • Number of executed functions: 28
                        • Number of non-executed functions: 20
                        Cookbook Comments:
                        • Found application associated with file extension: .dll
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.20
                        • Excluded domains from analysis (whitelisted): login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 81mieek02V.dll

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:22:57API Interceptor1130791x Sleep call for process: rundll32.exe modified
                        07:23:04API Interceptor1x Sleep call for process: loaddll32.exe modified
                        07:25:43API Interceptor2x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                        • blog.sina.com.cn/u/5655029807
                        k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                        • blog.sina.com.cn/u/5655029807
                        5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                        • blog.sina.com.cn/u/5655029807
                        107.163.56.110Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                          02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                            abc.dllGet hashmaliciousUnknownBrowse
                              107.160.131.253Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                107.160.131.254Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  blogx.sina.com.cnVb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  http://zeuso.ccGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  abc.dllGet hashmaliciousUnknownBrowse
                                  • 123.126.45.92

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS40676USVb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 107.160.131.254
                                  Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                  • 41.216.183.30
                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                  • 45.61.137.33
                                  QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                  • 45.61.137.33
                                  QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  AS40676USVb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 107.160.131.254
                                  Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                  • 41.216.183.30
                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                  • 45.61.137.33
                                  QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                  • 45.61.137.33
                                  QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                  • 45.61.137.33
                                  CHINA169-BJChinaUnicomBeijingProvinceNetworkCNVb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  owari.mips.elfGet hashmaliciousUnknownBrowse
                                  • 111.193.177.206
                                  owari.x86.elfGet hashmaliciousUnknownBrowse
                                  • 60.194.199.155
                                  VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  hmips.elfGet hashmaliciousMiraiBrowse
                                  • 111.196.123.227
                                  botx.m68k.elfGet hashmaliciousMiraiBrowse
                                  • 123.112.202.42
                                  botx.ppc.elfGet hashmaliciousMiraiBrowse
                                  • 113.45.119.194
                                  botx.arm.elfGet hashmaliciousMiraiBrowse
                                  • 211.145.29.8
                                  xd.m68k.elfGet hashmaliciousMiraiBrowse
                                  • 114.117.36.234
                                  xd.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 219.238.44.6
                                  TAKE2USVb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.110
                                  VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                  • 107.163.43.253
                                  yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                  • 107.163.215.236
                                  DHL_doc.exeGet hashmaliciousFormBookBrowse
                                  • 107.163.130.253
                                  wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                  • 107.163.130.249
                                  mips.elfGet hashmaliciousMiraiBrowse
                                  • 107.163.25.123
                                  INVOICES.exeGet hashmaliciousFormBookBrowse
                                  • 107.163.130.253
                                  sh4.elfGet hashmaliciousMiraiBrowse
                                  • 23.231.236.168
                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                  • 23.231.236.146
                                  3qsTcL9MOT.exeGet hashmaliciousFormBookBrowse
                                  • 107.163.96.57

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\1.txt

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):707
                                  Entropy (8bit):4.513669632585202
                                  Encrypted:false
                                  SSDEEP:6:yFOvHqs+dDnarD3UxX9IRQX30XEQdKfUfUfUfUfUfUfUfUfUfUfUfUfUfUfUfUfB:80GKDExX9sa30UQdo
                                  MD5:AC5A40EB28714C91BF03D4AE329453E0
                                  SHA1:7413A451CA9F08853B97B953E922B9D768A5662C
                                  SHA-256:A6E29175CC5A2CF8E7F3DC1BB99C4EB67B7B6BFB95135E9A9EDDBC3178FF3251
                                  SHA-512:CFADE49F3F71BF4971049A5641864D201801446A1734D8CD184A58CF1DD6E5263F5A3A02EE58DC95FF9055CA6011C32B58365CB6DD9695F29D4D6F25C33465AF
                                  Malicious:false
                                  Preview:..2024-11-21 11:09..iOffset....2024-11-23 02:50..iOffset....2024-11-24 00:18..iOffset....2024-11-25 17:30..iOffset....2024-11-27 13:21..iOffset....2024-11-28 14:40..iOffset....2024-11-29 20:14..iOffset....2024-12-03 02:55..iOffset....2024-12-07 23:49..iOffset....2024-12-11 17:44..iOffset....2024-12-21 17:59..iOffset....2025-06-14 06:22..iOffset....2035-08-05 11:58..iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset..

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_46a5a6ec-a63e-448c-b52e-075047df540a\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.950660304130958
                                  Encrypted:false
                                  SSDEEP:192:fYi6OCZ30BU/wjeTGW6ZYzuiFdZ24IO8dci:gib0EBU/wjeS7YzuiFdY4IO8dci
                                  MD5:A9DC248DC7A6385B3B2ED3E7CE6E883F
                                  SHA1:4A9BE26A60D0BECAFB000C9A7652AAC586D8F25E
                                  SHA-256:6BDD255A0E561C40A78B099E71BF609ADDA08222B2312093EF51B76813E7297D
                                  SHA-512:5E162487232592FB549DDB2210FD651A05E08BBAEBF84E5AC4330A1FA89FFA5420D8BF924C0ED246744281577A3C67535AD05609D6461B40B429FB28D67DA87E
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.2.5.8.1.6.7.1.2.3.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.2.5.8.2.4.5.2.4.9.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.a.5.a.6.e.c.-.a.6.3.e.-.4.4.8.c.-.b.5.2.e.-.0.7.5.0.4.7.d.f.5.4.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.b.7.9.6.7.4.-.6.6.b.4.-.4.4.2.7.-.9.5.0.f.-.f.4.8.d.a.0.2.2.8.0.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.c.4.-.0.0.0.1.-.0.0.1.4.-.2.7.4.3.-.5.f.c.6.7.d.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_e78355c5-05cb-4bce-aa3e-de35fc5094ce\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9505495766227757
                                  Encrypted:false
                                  SSDEEP:192:cyLilOuxv0BU/wjeTWWaZYzuiFdZ24IO8dci:zLicuxcBU/wjeibYzuiFdY4IO8dci
                                  MD5:8426AE0380B32B076C2CD4991CF775E3
                                  SHA1:571408AE48019AB4A904251BE7ACCDCEE412DAA6
                                  SHA-256:A217DD176F4C5B7C706A8CD00A4480195673F96B841E77CA1A602BFCCCF30A75
                                  SHA-512:8F401DFBB4F0C262717E82873B212F0DF6CFFB16BC5AB56BA42BD913741B64B621554F8BCFEF836118C97E492754870530525FDDF2ED1F3AC5BBCF7DBC65A914
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.2.5.8.4.9.3.2.5.9.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.2.5.8.5.4.4.8.2.0.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.8.3.5.5.c.5.-.0.5.c.b.-.4.b.c.e.-.a.a.3.e.-.d.e.3.5.f.c.5.0.9.4.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.2.9.8.9.8.9.-.3.f.c.8.-.4.c.7.f.-.8.7.d.3.-.5.f.7.d.2.9.6.4.6.4.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.c.-.0.0.0.1.-.0.0.1.4.-.b.c.b.3.-.3.1.c.8.7.d.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B1D.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 12:23:01 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):45552
                                  Entropy (8bit):2.0176218639730443
                                  Encrypted:false
                                  SSDEEP:192:P3qddVZLXpXHNQCXO5H4JHChxs/2REErjG5LO7F6iocFS:/qdjZi5HcHCPs/IEErjG5LO7FfF
                                  MD5:0842375C2A28781A00F66AB38147E855
                                  SHA1:DFC791DAA6162F7ED6801656923DBD451084415F
                                  SHA-256:56E5F34321FD1B64CAAA7205CC1151DB5BB60068EDBAC0E128B3FDC19517D62F
                                  SHA-512:4D51D0BCEA03DB26F8B408584C09E438FACF78FB801CA288EF5259E6B8DC9D5148C562C8F66C40B08ECFF232DCB8800BBC1329B5FDC07895C2D5B1C38D0590AD
                                  Malicious:false
                                  Preview:MDMP..a..... .......%.<g........................................V/..........T.......8...........T...............(...........L...........8...............................................................................eJ..............GenuineIntel............T...........%.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C08.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8272
                                  Entropy (8bit):3.690952184880969
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJzE6Q6Yfk6IgmfTZopr+89be4sfNqm:R6lXJQ6Q6YM6IgmfTZaerfB
                                  MD5:DC9EA4B6B4A96CCF61FA32A2B918BA4B
                                  SHA1:BC47F4CEFA1866244D22AB0D16A5BE527FA9A471
                                  SHA-256:9E5E9288380A10671B474A80D24D7A5317445F29016C2DC782AA3EDFB5A6ABEE
                                  SHA-512:C5E6E5AAAB8B9D59FE857DEC02DD78427EC695B2A9013B4C583D14FF4AD80FA9692290F289EFC42CCE156C26272AE0A454D083873259C4BA6737D6C5FCD7447A
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.7.6.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D90.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4654
                                  Entropy (8bit):4.463863000679733
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsyJg77aI9BBtyWpW8VYlYm8M4JCdPSF4+q8/AEbGScSBd:uIjfAI7XBtT7VlJQ+J3Bd
                                  MD5:66CA9702FDE4BE1BD2C06176C8C17A7C
                                  SHA1:8BCE4B93F518356D2F2483B59D3DC5D12C4284B1
                                  SHA-256:75ECBDF101A2CA754CDE197DDDCD975C1D73900954E67044528DF4B30FD24347
                                  SHA-512:D566E7C0DE0D4806B055438F335983F6601265F2F627AB026643FA4E07A5C1E4AF2909D1A34EB7CF3D7E510DFAAAC0621580BA0452970BCA5E6ECB525629CB9B
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER87FE.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 12:23:05 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):44286
                                  Entropy (8bit):2.024496436739641
                                  Encrypted:false
                                  SSDEEP:192:bkpd13ZbvXpXlx0PXO5H4B6atHhforvjpPiR6b7wK:op3Zbp5HE6atHhorv9Pis
                                  MD5:B123A3CB1FD4493088F27F22F93F95CF
                                  SHA1:0C693486EDCE62AD4B7E25E3A3F35C382DD61B98
                                  SHA-256:6B8C8F82D3382F0FA89E1DDA95D51EB8AE1E7AE34C327EA8C2254C3A09CC3AB5
                                  SHA-512:8802DD883B3F4A02319914B93C970B7262242F676A3F29ECF42CE1D8EFB69FF14ED84D54124A07E6F6286EC7C9511E65A7D208ACDE4E82261665377241CD7F6C
                                  Malicious:false
                                  Preview:MDMP..a..... .......).<g........................................V/..........T.......8...........T...............^...........L...........8...............................................................................eJ..............GenuineIntel............T...........(.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER88AB.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8262
                                  Entropy (8bit):3.691956539802815
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJJW6M6YHQz6rgmfTxoprZ89bRssfA7m:R6lXJo6M6Ywz6rgmfTxbR/fx
                                  MD5:361E3075CEEF04F52C0D0E08BBD98107
                                  SHA1:22A971ED14728B8093F680D802A5B96FFD8FE86D
                                  SHA-256:828328F6715AFA0B209A3DFC518A52C19FA5CA909F75D8EEEC169CBE5AF3F69F
                                  SHA-512:348706607C8505F72E45A448F0E13B3383932A34661BAB67287915177BCAE31162B20CD122BA112208C011C19AA81642B5ED78E11BD4128113CFD5BA7ED942C3
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.7.2.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER88EA.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4654
                                  Entropy (8bit):4.465694737100821
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsyJg77aI9BBtyWpW8VYVYm8M4JCdPOFqwIm+q8/AvGScShd:uIjfAI7XBtT7VlJO9m3J3hd
                                  MD5:DC11BF421ED6B4A5F60EE98783141981
                                  SHA1:4D75496F3E66026F905BCA7824B19A123554BFB6
                                  SHA-256:630E89F8A5ADFB39566F6661F8BF497139D349E2F04728A3B279654BED08EA2B
                                  SHA-512:86DD742C60E6AB1100628E6B9B7D5557D08B37B1897DAAA4AB9411CB9C0CDCB4F9132303CBB5A32FA0640BEA884240EC6FBBD994B53CC854D60950E418528026
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.372873519540036
                                  Encrypted:false
                                  SSDEEP:6144:MFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:8V1QyWWI/glMM6kF7Kq
                                  MD5:C35CBD2CEF6E068FA36B2D7D07F9AB3D
                                  SHA1:FD286F14DEF26C4C94EA42371FCB276ED017D83D
                                  SHA-256:709746474C800127297CA702F04E6421536B137AED4997676049ACA1727354BC
                                  SHA-512:5AA9D5B5034D647FC9525C0E5CA64E7DDCD4110E3A973E9DD7115CA0A0854A443A7083E408EB87B83AD1D79701EEF5E5D10794B6D548D15A108508F505F04B1C
                                  Malicious:false
                                  Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.4..}:..............................................................................................................................................................................................................................................................................................................................................1T..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed
                                  Entropy (8bit):6.39398433928256
                                  TrID:
                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                  • DOS Executable Generic (2002/1) 0.20%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:81mieek02V.dll
                                  File size:322'777 bytes
                                  MD5:703dd9fac2280e224a1949db0cf545a3
                                  SHA1:9f79ed51c51057b765256f856cd3690737c98fce
                                  SHA256:5397c40c0f4bbe1b202069a612b03dac27a0c33eeec7ac97df264b9afbb84da4
                                  SHA512:69e3b4cf81bf8c5e2a944f22bf145442415882712957c1a64c051ad3a89b5dd9cd1247f2331fc429295bfda244799263bcebb347bcdc09339f7875c19af493d0
                                  SSDEEP:6144:YutK09bpsWYrPnP3UKLSr1TS8BbdrFucR+z+qagIK+bcgaI0C:BK0YWYrPP35LSrBS8LQ4+z+qagQYVIv
                                  TLSH:2C64AE0237B552F9D4F70A3A9F35E72DE33438109CA8DD159B8A18C91CE394AADD538B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                  File Icon

                                  Icon Hash:7ae282899bbab082

                                  Static PE Info

                                  General

                                  Entrypoint:0x10042ae6
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x10000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                                  DLL Characteristics:
                                  Time Stamp:0x565C7C9C [Mon Nov 30 16:43:08 2015 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:1e14d607956b4cc2b9b7835c72bf0b77

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F6CA44CD65Eh
                                  adc byte ptr [ebp+6E3FA254h], al
                                  or eax, dword ptr [esi]
                                  mov cl, 92h

                                  Rich Headers

                                  Programming Language:
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ C ] VS98 (6.0) build 8168
                                  • [C++] VS98 (6.0) build 8168
                                  • [RES] VS98 (6.0) cvtres build 1720
                                  • [LNK] VS98 (6.0) imp/exp build 8168

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x4fb240x68.rsrc
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d6cc0x118.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000xb10.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x490000x1628.text
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x4e0000x4ca00b29859f73b90e7f64037da48fbee12a8False0.5888783391109299data6.394873960706557IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x4f0000x20000x1e00a03763a40a39da37762a5efcd57a5136False0.6859375data6.354524003809639IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .reloc0x510000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_STRING0x4b0000x16cdataEnglishUnited States0.5521978021978022
                                  RT_STRING0x4b1700x86dataEnglishUnited States0.6417910447761194
                                  RT_STRING0x4b1f80x56dataEnglishUnited States0.6744186046511628
                                  RT_STRING0x4b2500x16edataEnglishUnited States0.505464480874317
                                  RT_STRING0x4b3c00x128dataEnglishUnited States0.581081081081081
                                  RT_STRING0x4b4e80xd2dataEnglishUnited States0.5761904761904761
                                  RT_STRING0x4b5c00x6adataEnglishUnited States0.660377358490566
                                  RT_STRING0x4b6300xc8Matlab v4 mat-file (little endian) b, numeric, rows 0, columns 0EnglishUnited States0.555
                                  RT_STRING0x4b6f80x200dataEnglishUnited States0.375
                                  RT_STRING0x4b8f80x23edataEnglishUnited States0.44773519163763065
                                  RT_STRING0x4bb380x12edataEnglishUnited States0.4503311258278146
                                  RT_STRING0x4bc680xcaMatlab v4 mat-file (little endian) O, numeric, rows 0, columns 0EnglishUnited States0.42574257425742573
                                  RT_STRING0x4bd380x252dataEnglishUnited States0.39225589225589225
                                  RT_STRING0x4bf900x28edataEnglishUnited States0.43730886850152906
                                  RT_STRING0x4c2200xcedataEnglishUnited States0.4563106796116505
                                  RT_STRING0x4c2f00x15cMatlab v4 mat-file (little endian) a, numeric, rows 0, columns 0EnglishUnited States0.4166666666666667
                                  RT_STRING0x4c4500x398dataEnglishUnited States0.375
                                  RT_STRING0x4c7e80x2aedataEnglishUnited States0.3688046647230321
                                  RT_STRING0x4ca980x42dataEnglishUnited States0.4696969696969697
                                  RT_STRING0x4cae00x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cb000x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cb200x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cb400x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cb600x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cb800x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cba00x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cbc00x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cbe00x7adataEnglishUnited States0.6475409836065574
                                  RT_STRING0x4cc600x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cc800x20dataEnglishUnited States0.34375
                                  RT_STRING0x4cca00x13aMatlab v4 mat-file (little endian) ', numeric, rows 0, columns 0EnglishUnited States0.3821656050955414
                                  RT_STRING0x4cde00x19adataEnglishUnited States0.4195121951219512
                                  RT_STRING0x4cf800x9adataEnglishUnited States0.512987012987013
                                  RT_STRING0x4d0200xa8dataEnglishUnited States0.5833333333333334
                                  RT_STRING0x4d0c80x20dataEnglishUnited States0.34375
                                  RT_VERSION0x4f7f00x31cdataEnglishUnited States0.4296482412060301
                                  RT_HTML0x4d0e80x49HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8493150684931506
                                  RT_HTML0x4d1380xdHTML document, ASCII text, with no line terminatorsEnglishUnited States1.3076923076923077
                                  RT_HTML0x4d1480x6beHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5179606025492468

                                  Imports

                                  DLLImport
                                  MFC42.DLL
                                  MSVCRT.dll_strcmpi
                                  KERNEL32.dllCreateDirectoryA
                                  USER32.dllGetDesktopWindow
                                  ADVAPI32.dllRegDeleteValueA
                                  WS2_32.dllhtons
                                  SHLWAPI.dllPathIsDirectoryA
                                  ole32.dllCoUninitialize
                                  OLEAUT32.dllSafeArrayGetVartype
                                  MSVCP60.dll?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
                                  NETAPI32.dllNetbios
                                  KERNEL32.dllGetModuleFileNameW
                                  KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                  Exports

                                  NameOrdinalAddress
                                  DoAddToFavDlg10x10008645
                                  InputFile20x1000678b
                                  PrintFile30x1000443d

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2024 13:22:58.826095104 CET4970518530192.168.2.8107.163.56.110
                                  Nov 19, 2024 13:22:58.826235056 CET4970618659192.168.2.8107.160.131.253
                                  Nov 19, 2024 13:22:59.825125933 CET4970618659192.168.2.8107.160.131.253
                                  Nov 19, 2024 13:22:59.825134993 CET4970518530192.168.2.8107.163.56.110
                                  Nov 19, 2024 13:23:01.825226068 CET4970618659192.168.2.8107.160.131.253
                                  Nov 19, 2024 13:23:01.840735912 CET4970518530192.168.2.8107.163.56.110
                                  Nov 19, 2024 13:23:05.825176001 CET4970618659192.168.2.8107.160.131.253
                                  Nov 19, 2024 13:23:05.867259026 CET4970518530192.168.2.8107.163.56.110
                                  Nov 19, 2024 13:23:13.825139046 CET4970618659192.168.2.8107.160.131.253
                                  Nov 19, 2024 13:23:13.872046947 CET4970518530192.168.2.8107.163.56.110
                                  Nov 19, 2024 13:23:23.863858938 CET4974023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:23.863894939 CET4974123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:24.872055054 CET4974123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:24.872056961 CET4974023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:26.872081995 CET4974023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:26.887685061 CET4974123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:27.679569960 CET4976680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:27.860878944 CET4976923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:27.978847027 CET4977123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:27.979996920 CET4977280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:28.872104883 CET4976923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:28.981473923 CET4977280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:28.984919071 CET4977123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:30.872070074 CET4976923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:30.981509924 CET4977280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:30.997090101 CET4977123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:31.872891903 CET4980223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:31.985925913 CET4980523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:31.986813068 CET4980680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:32.887693882 CET4980223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:32.997035027 CET4980523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:32.997039080 CET4980680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:34.903353930 CET4980223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:34.997112036 CET4980680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:35.012720108 CET4980523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:35.893884897 CET4983623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:36.017410040 CET4983823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:36.017971992 CET4983980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:36.903338909 CET4983623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:37.028350115 CET4983823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:37.032341003 CET4983980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:38.903358936 CET4983623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:39.028404951 CET4983823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:39.028407097 CET4983980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:39.888571024 CET4987123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:40.002470016 CET4987323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:40.004853964 CET4987480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:40.903342009 CET4987123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:40.997082949 CET4987323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:41.012680054 CET4987480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:42.903369904 CET4987123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:43.012717009 CET4987323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:43.028352976 CET4987480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:43.904123068 CET4990523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:44.016477108 CET4990723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:44.017060041 CET4990880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:44.903337002 CET4990523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:45.028424978 CET4990723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:45.028445005 CET4990880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:46.903350115 CET4990523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:47.028373957 CET4990723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:47.028376102 CET4990880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:47.904058933 CET4994223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:48.018913984 CET4994523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:48.019963980 CET4994680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:48.919007063 CET4994223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:49.028373957 CET4994523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:49.028377056 CET4994680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:50.934639931 CET4994223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:51.028371096 CET4994523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:51.028373957 CET4994680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:51.920041084 CET4997823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:52.055198908 CET4998023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:52.056093931 CET4998180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:52.934581041 CET4997823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:53.059623957 CET4998180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:53.060349941 CET4998023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:54.938836098 CET4997823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:55.075259924 CET4998180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:55.076387882 CET4998023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:55.935765028 CET5000823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:56.119232893 CET5001080192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:56.119457960 CET5001123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:56.934710026 CET5000823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:57.137856960 CET5001080192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:57.141360044 CET5001123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:58.950237036 CET5000823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:59.153343916 CET5001080192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:23:59.153465986 CET5001123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:23:59.951668978 CET5004523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:00.068414927 CET5004723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:00.119818926 CET5004980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:00.965843916 CET5004523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:01.075222969 CET5004723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:01.122186899 CET5004980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:02.981571913 CET5004523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:03.090991020 CET5004723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:03.122145891 CET5004980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:03.966650009 CET5008423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:04.078289986 CET5008623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:04.079510927 CET5008780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:04.981587887 CET5008423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:05.090898991 CET5008623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:05.090900898 CET5008780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:06.981484890 CET5008423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:07.090944052 CET5008780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:07.090950012 CET5008623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:07.966866016 CET5012723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:08.081315041 CET5013023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:08.081518888 CET5013180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:08.981509924 CET5012723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:09.075301886 CET5013023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:09.090940952 CET5013180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:10.981539011 CET5012723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:11.075251102 CET5013023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:11.090884924 CET5013180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:11.982628107 CET5017123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:12.099617004 CET5017480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:12.100188971 CET5017523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:12.997112989 CET5017123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:13.106643915 CET5017523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:13.106648922 CET5017480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:15.012778997 CET5017123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:15.122107983 CET5017480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:15.122111082 CET5017523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:15.998236895 CET5022723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:16.110840082 CET5023023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:16.111682892 CET5023180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:17.012798071 CET5022723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:17.122169018 CET5023023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:17.122284889 CET5023180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:19.028422117 CET5022723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:19.137787104 CET5023023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:19.137998104 CET5023180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:20.001065969 CET5029223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:20.151595116 CET5029423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:20.152370930 CET5029580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:21.012744904 CET5029223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:21.153381109 CET5029423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:21.154479980 CET5029580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:23.028467894 CET5029223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:23.153450966 CET5029423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:23.158400059 CET5029580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:24.017103910 CET5036823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:24.130004883 CET5037123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:24.130564928 CET5037280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:25.028378010 CET5036823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:25.137819052 CET5037280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:25.137970924 CET5037123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:27.044070959 CET5036823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:27.153429985 CET5037123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:27.153440952 CET5037280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:28.029197931 CET5044623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:28.144329071 CET5044923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:28.722937107 CET5046480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:29.028417110 CET5044623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:29.153408051 CET5044923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:29.731553078 CET5046480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:31.028400898 CET5044623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:31.153434038 CET5044923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:31.731538057 CET5046480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:32.045288086 CET5055923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:32.157568932 CET5056323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:32.159368038 CET5056480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:33.059642076 CET5055923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:33.153398991 CET5056480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:33.155076981 CET5056323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:35.075270891 CET5055923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:35.153398991 CET5056480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:35.169023991 CET5056323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:36.064416885 CET5065423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:36.195683002 CET5066123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:36.196578026 CET5066280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:37.075284004 CET5065423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:37.200309992 CET5066280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:37.201380014 CET5066123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:39.075287104 CET5065423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:39.200264931 CET5066280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:39.216447115 CET5066123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:40.110088110 CET5084923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:40.222244024 CET5085680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:40.222548962 CET5085723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:41.122164965 CET5084923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:41.231528997 CET5085723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:41.231599092 CET5085680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:43.137808084 CET5084923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:43.232295990 CET5085723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:43.232414007 CET5085680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:44.234246016 CET5107380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:44.234489918 CET5107423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:44.238073111 CET5107623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:45.231534958 CET5107623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:45.247205019 CET5107380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:45.341187000 CET5107423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:47.292583942 CET5107623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:47.292723894 CET5107380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:47.340982914 CET5107423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:48.366369963 CET5131423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:48.367343903 CET5131523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:48.369877100 CET5131680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:49.387798071 CET5131523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:49.544047117 CET5131423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:49.544477940 CET5131680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:51.482520103 CET5131523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:51.544069052 CET5131680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:51.544090033 CET5131423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:52.376214981 CET5154723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:52.495171070 CET5155423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:52.495820045 CET5155580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:53.482429981 CET5154723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:53.591008902 CET5155423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:53.591051102 CET5155580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:55.481571913 CET5154723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:55.590933084 CET5155580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:55.590943098 CET5155423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:56.391747952 CET5285223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:56.505027056 CET5289923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:56.509674072 CET5290180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:57.544078112 CET5290180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:57.544079065 CET5285223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:57.544919968 CET5289923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:59.544073105 CET5285223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:24:59.544074059 CET5290180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:24:59.544111967 CET5289923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:00.404603958 CET5486523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:00.538065910 CET5486680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:00.541582108 CET5486723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:01.544475079 CET5486523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:01.590955019 CET5486680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:01.590960026 CET5486723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:03.544075012 CET5486523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:03.590961933 CET5486680192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:03.590972900 CET5486723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:04.426111937 CET5705523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:04.534086943 CET5709323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:04.536624908 CET5709580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:05.481602907 CET5705523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:05.590954065 CET5709323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:05.590975046 CET5709580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:07.481638908 CET5705523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:07.590972900 CET5709580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:07.591007948 CET5709323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:08.436225891 CET5989523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:08.551667929 CET5999823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:08.553374052 CET5999980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:09.481662035 CET5989523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:09.544070959 CET5999823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:09.731564045 CET5999980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:11.544085026 CET5999823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:11.562984943 CET5989523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:11.731595993 CET5999980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:12.481771946 CET6254123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:12.598305941 CET6258323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:12.600461006 CET6258580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:13.544087887 CET6254123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:13.731580019 CET6258323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:13.794090986 CET6258580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:15.544087887 CET6254123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:15.731585979 CET6258323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:15.794100046 CET6258580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:16.501617908 CET4918523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:16.612103939 CET4926023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:16.616972923 CET4926180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:17.539838076 CET4918523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:17.645169973 CET4926023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:17.645256996 CET4926180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:19.606189013 CET4918523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:19.715718031 CET4926180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:19.715720892 CET4926023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:20.516279936 CET5197023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:20.634015083 CET5202980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:20.635047913 CET5203023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:21.590976000 CET5197023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:21.731601954 CET5203023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:21.789588928 CET5202980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:23.590990067 CET5197023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:23.731714010 CET5203023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:23.794115067 CET5202980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:24.530093908 CET5457723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:24.644890070 CET5468123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:24.645448923 CET5468280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:25.544115067 CET5457723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:25.731631994 CET5468280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:25.786969900 CET5468123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:27.544281960 CET5457723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:27.731633902 CET5468280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:27.794128895 CET5468123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:28.550240993 CET5731823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:28.660180092 CET5735123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:29.127332926 CET5773580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:29.590998888 CET5731823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:29.731631994 CET5735123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:30.231668949 CET5773580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:31.590991974 CET5731823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:31.731745005 CET5735123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:32.231672049 CET5773580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:32.560954094 CET6014723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:32.699876070 CET6025723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:32.701498985 CET6025980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:33.712810040 CET6025723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:33.712902069 CET6025980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:33.731640100 CET6014723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:35.731626034 CET6014723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:35.737051964 CET6025723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:35.737123966 CET6025980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:36.576656103 CET6281223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:36.690505028 CET6295123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:36.692234993 CET6295380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:37.731626034 CET6281223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:37.731631041 CET6295123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:37.794122934 CET6295380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:39.731642008 CET6281223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:39.731749058 CET6295123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:39.870604038 CET6295380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:40.600379944 CET6529623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:40.704191923 CET6529723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:40.723093033 CET6529980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:41.731844902 CET6529623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:41.759262085 CET6529723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:41.759357929 CET6529980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:43.794151068 CET6529723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:43.794158936 CET6529980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:43.841002941 CET6529623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:44.607685089 CET5094723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:44.721802950 CET5108323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:44.721812963 CET5108280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:45.731643915 CET5094723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:45.731668949 CET5108280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:45.731831074 CET5108323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:47.731654882 CET5094723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:47.731682062 CET5108280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:47.731719971 CET5108323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:48.495071888 CET5296023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:48.495277882 CET5296123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:48.496026993 CET5296280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:49.544173002 CET5296023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:49.544176102 CET5296280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:49.593758106 CET5296123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:51.544156075 CET5296023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:51.544253111 CET5296280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:51.591197968 CET5296123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:52.664539099 CET5485323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:52.824212074 CET5488623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:52.824661970 CET5488780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:53.701781988 CET5485323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:53.841032982 CET5488623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:53.841090918 CET5488780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:55.794167995 CET5485323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:55.841037989 CET5488623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:55.842504978 CET5488780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:56.670073986 CET5723923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:56.798835039 CET5736623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:56.801053047 CET5736880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:57.731661081 CET5723923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:57.841048956 CET5736623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:57.887912989 CET5736880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:25:59.731658936 CET5723923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:59.841027021 CET5736623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:25:59.931087017 CET5736880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:00.694063902 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:00.818317890 CET5968580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:00.818320036 CET5968423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:01.718153000 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:01.840754032 CET5968423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:01.840868950 CET5968580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:03.769639969 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:03.882530928 CET5968423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:03.882636070 CET5968580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:04.701045036 CET6189523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:04.818497896 CET6198623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:04.824099064 CET6198880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:05.794249058 CET6189523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:05.981693983 CET6198623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:05.982527018 CET6198880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:07.794470072 CET6189523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:07.981710911 CET6198623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:07.981818914 CET6198880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:08.858515024 CET6383323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:08.982724905 CET6388880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:08.986399889 CET6389023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:09.981718063 CET6383323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:10.091068983 CET6388880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:10.091084003 CET6389023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:12.091090918 CET6383323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:12.091105938 CET6389023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:12.091113091 CET6388880192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:12.989805937 CET5008823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:12.990694046 CET5008923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:12.992611885 CET5009180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:14.044209957 CET5008923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:14.044245958 CET5009180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:14.091057062 CET5008823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:16.044213057 CET5008923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:16.044449091 CET5009180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:16.294200897 CET5008823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:16.998305082 CET5247623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:17.115685940 CET5258023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:17.119308949 CET5258280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:18.091075897 CET5247623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:18.231754065 CET5258023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:18.231771946 CET5258280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:20.091156006 CET5247623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:20.231795073 CET5258023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:20.231863976 CET5258280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:21.004184008 CET5539123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:21.125011921 CET5543523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:21.125209093 CET5543480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:22.091192961 CET5539123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:22.294370890 CET5543523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:22.294389963 CET5543480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:24.091093063 CET5539123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:24.481739998 CET5543480192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:24.481745005 CET5543523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:25.028697968 CET5721923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:25.169265032 CET5722623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:25.170376062 CET5722780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:26.089143038 CET5721923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:26.210571051 CET5722623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:26.210597992 CET5722780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:28.184860945 CET5721923588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:28.294229984 CET5722780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:28.294229031 CET5722623588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:29.029783010 CET5950423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:29.146573067 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:29.632668972 CET5987780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:30.044208050 CET5950423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:30.294215918 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:30.731722116 CET5987780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:32.044243097 CET5950423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:32.387993097 CET5957523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:32.731734991 CET5987780192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:33.069844007 CET6183023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:33.195310116 CET6192223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:33.197086096 CET6192380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:34.231730938 CET6183023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:34.294248104 CET6192223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:34.294258118 CET6192380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:36.231728077 CET6183023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:36.294246912 CET6192223588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:36.294567108 CET6192380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:37.097460985 CET6414823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:37.215465069 CET6425380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:37.239161015 CET6425523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:38.185125113 CET6414823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:38.294276953 CET6425380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:38.294558048 CET6425523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:40.240911961 CET6414823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:40.388060093 CET6425380192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:40.388062954 CET6425523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:41.108798981 CET5058723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:41.223166943 CET5072823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:41.224009037 CET5072980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:42.231786013 CET5072980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:42.231832981 CET5058723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:42.231971025 CET5072823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:44.231760025 CET5058723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:44.232616901 CET5072980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:44.232616901 CET5072823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:45.123792887 CET5355423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:45.237930059 CET5368823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:45.238743067 CET5368980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:46.231796026 CET5355423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:46.294291019 CET5368823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:46.294295073 CET5368980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:48.231775999 CET5355423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:48.294291973 CET5368980192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:48.294395924 CET5368823588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:49.139605045 CET5605723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:49.253603935 CET5615180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:49.257014990 CET5615323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:50.184921026 CET5605723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:50.294476986 CET5615323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:50.342657089 CET5615180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:52.294291973 CET5605723588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:52.294780970 CET5615323588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:52.341588974 CET5615180192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:53.155241013 CET5891523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:53.272355080 CET5902423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:53.272353888 CET5902580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:54.231959105 CET5891523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:54.388044119 CET5902423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:54.388607025 CET5902580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:56.231831074 CET5891523588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:56.481785059 CET5902423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:56.481952906 CET5902580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:57.170804024 CET6180423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:57.289189100 CET6193423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:57.289755106 CET6193580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:26:58.231765032 CET6180423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:58.341145039 CET6193423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:26:58.341891050 CET6193580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:00.232517004 CET6180423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:00.341162920 CET6193580192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:00.341166973 CET6193423588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:01.186471939 CET6278023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:01.315574884 CET6285123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:01.320489883 CET6285280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:02.253070116 CET6278023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:02.341146946 CET6285280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:02.388076067 CET6285123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:04.263151884 CET6278023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:04.356774092 CET6285280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:04.388020992 CET6285123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:08.263020992 CET6278023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:08.356787920 CET6285280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:08.388029099 CET6285123588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:16.263077021 CET6278023588192.168.2.8107.160.131.254
                                  Nov 19, 2024 13:27:16.356796980 CET6285280192.168.2.8202.108.0.52
                                  Nov 19, 2024 13:27:16.388051987 CET6285123588192.168.2.8107.160.131.254

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2024 13:23:20.851130962 CET6391053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:21.403458118 CET53639101.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:25.092622042 CET5618753192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:25.619621038 CET53561871.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:27.309988976 CET5338953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:27.677083015 CET53533891.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:30.061816931 CET6208453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:30.564500093 CET53620841.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:35.302881002 CET6467853192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:35.310664892 CET53646781.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:40.124362946 CET6143253192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:40.673605919 CET53614321.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:45.108654022 CET5996953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:45.115885019 CET53599691.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:50.110486984 CET6274153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:50.118160009 CET53627411.1.1.1192.168.2.8
                                  Nov 19, 2024 13:23:55.085882902 CET5855753192.168.2.81.1.1.1
                                  Nov 19, 2024 13:23:55.618839979 CET53585571.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:00.101177931 CET6293453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:00.110347033 CET53629341.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:05.093569994 CET5146053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:05.347250938 CET53514601.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:10.093015909 CET6112453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:10.630876064 CET53611241.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:15.077033043 CET5941953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:15.084805965 CET53594191.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:20.055459023 CET5033153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:20.063033104 CET53503311.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:25.060514927 CET6124753192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:25.596714020 CET53612471.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:28.144834995 CET6506953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:28.693099022 CET53650691.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:30.047977924 CET5822353192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:30.055006027 CET53582231.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:35.061002970 CET5656053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:35.604775906 CET53565601.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:40.045208931 CET6346853192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:40.052668095 CET53634681.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:45.044869900 CET5493053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:45.052067041 CET53549301.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:50.046860933 CET5194953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:50.054250002 CET53519491.1.1.1192.168.2.8
                                  Nov 19, 2024 13:24:55.046518087 CET5868953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:24:55.541901112 CET53586891.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:00.054855108 CET5936953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:00.542938948 CET53593691.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:05.047591925 CET5953453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:05.055120945 CET53595341.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:10.046014071 CET6408453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:10.053042889 CET53640841.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:15.044374943 CET5763153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:15.051698923 CET53576311.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:20.045089006 CET6256453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:20.052128077 CET53625641.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:25.045387030 CET5773353192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:25.584173918 CET53577331.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:28.661644936 CET5168153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:29.125828981 CET53516811.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:30.046004057 CET5498053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:30.053647995 CET53549801.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:35.045310020 CET5798253192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:35.053432941 CET53579821.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:40.174962044 CET6038253192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:40.718411922 CET53603821.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:45.045711994 CET6242853192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:45.053747892 CET53624281.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:50.077505112 CET5160153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:50.086288929 CET53516011.1.1.1192.168.2.8
                                  Nov 19, 2024 13:25:55.045299053 CET5257753192.168.2.81.1.1.1
                                  Nov 19, 2024 13:25:55.053072929 CET53525771.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:00.044593096 CET5004953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:00.565200090 CET53500491.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:05.045510054 CET5169353192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:05.055665016 CET53516931.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:10.053179026 CET5358653192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:10.064955950 CET53535861.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:15.119347095 CET5320453192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:15.126447916 CET53532041.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:20.045089960 CET5008853192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:20.052783012 CET53500881.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:25.045505047 CET6139153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:25.598747969 CET53613911.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:29.147072077 CET5142053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:29.629334927 CET53514201.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:30.045355082 CET5756053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:30.534117937 CET53575601.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:35.045813084 CET4930053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:35.564107895 CET53493001.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:40.095741034 CET5195653192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:40.102521896 CET53519561.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:45.045583010 CET6527153192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:45.052799940 CET53652711.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:50.044939995 CET5661753192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:50.052392960 CET53566171.1.1.1192.168.2.8
                                  Nov 19, 2024 13:26:55.046739101 CET5659953192.168.2.81.1.1.1
                                  Nov 19, 2024 13:26:55.054665089 CET53565991.1.1.1192.168.2.8
                                  Nov 19, 2024 13:27:00.070651054 CET5404053192.168.2.81.1.1.1
                                  Nov 19, 2024 13:27:00.614614964 CET53540401.1.1.1192.168.2.8

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Nov 19, 2024 13:23:20.851130962 CET192.168.2.81.1.1.10x1930Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:25.092622042 CET192.168.2.81.1.1.10x4d9dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:27.309988976 CET192.168.2.81.1.1.10xe9c9Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:30.061816931 CET192.168.2.81.1.1.10xce77Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:35.302881002 CET192.168.2.81.1.1.10x6428Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:40.124362946 CET192.168.2.81.1.1.10xbe8dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:45.108654022 CET192.168.2.81.1.1.10xcbcStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:50.110486984 CET192.168.2.81.1.1.10x2b7cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:55.085882902 CET192.168.2.81.1.1.10x1e00Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:00.101177931 CET192.168.2.81.1.1.10x2ca6Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:05.093569994 CET192.168.2.81.1.1.10x3202Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:10.093015909 CET192.168.2.81.1.1.10x4a85Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:15.077033043 CET192.168.2.81.1.1.10x6814Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:20.055459023 CET192.168.2.81.1.1.10x1ebcStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:25.060514927 CET192.168.2.81.1.1.10x1de0Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:28.144834995 CET192.168.2.81.1.1.10xbab8Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:30.047977924 CET192.168.2.81.1.1.10x2151Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:35.061002970 CET192.168.2.81.1.1.10x5f3bStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:40.045208931 CET192.168.2.81.1.1.10x47d5Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:45.044869900 CET192.168.2.81.1.1.10x5acbStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:50.046860933 CET192.168.2.81.1.1.10x6401Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:55.046518087 CET192.168.2.81.1.1.10xd861Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:00.054855108 CET192.168.2.81.1.1.10xffeaStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:05.047591925 CET192.168.2.81.1.1.10x6b9dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:10.046014071 CET192.168.2.81.1.1.10xb059Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:15.044374943 CET192.168.2.81.1.1.10x329aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:20.045089006 CET192.168.2.81.1.1.10x28e2Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:25.045387030 CET192.168.2.81.1.1.10xf228Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:28.661644936 CET192.168.2.81.1.1.10x3c67Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:30.046004057 CET192.168.2.81.1.1.10x58b5Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:35.045310020 CET192.168.2.81.1.1.10xc52Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:40.174962044 CET192.168.2.81.1.1.10xc473Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:45.045711994 CET192.168.2.81.1.1.10x7355Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:50.077505112 CET192.168.2.81.1.1.10x1d00Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:55.045299053 CET192.168.2.81.1.1.10xb511Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:00.044593096 CET192.168.2.81.1.1.10xa903Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:05.045510054 CET192.168.2.81.1.1.10xaedaStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:10.053179026 CET192.168.2.81.1.1.10x9687Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:15.119347095 CET192.168.2.81.1.1.10x5c7dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:20.045089960 CET192.168.2.81.1.1.10xc4beStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:25.045505047 CET192.168.2.81.1.1.10x2b63Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:29.147072077 CET192.168.2.81.1.1.10x46d2Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:30.045355082 CET192.168.2.81.1.1.10x73f9Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:35.045813084 CET192.168.2.81.1.1.10x807bStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:40.095741034 CET192.168.2.81.1.1.10xe6d8Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:45.045583010 CET192.168.2.81.1.1.10x1911Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:50.044939995 CET192.168.2.81.1.1.10x8005Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:55.046739101 CET192.168.2.81.1.1.10xa08aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:27:00.070651054 CET192.168.2.81.1.1.10xd544Standard query (0)host123.zz.amA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 19, 2024 13:23:21.403458118 CET1.1.1.1192.168.2.80x1930Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:25.619621038 CET1.1.1.1192.168.2.80x4d9dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:27.677083015 CET1.1.1.1192.168.2.80xe9c9No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 13:23:27.677083015 CET1.1.1.1192.168.2.80xe9c9No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:30.564500093 CET1.1.1.1192.168.2.80xce77Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:35.310664892 CET1.1.1.1192.168.2.80x6428Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:40.673605919 CET1.1.1.1192.168.2.80xbe8dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:45.115885019 CET1.1.1.1192.168.2.80xcbcName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:50.118160009 CET1.1.1.1192.168.2.80x2b7cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:23:55.618839979 CET1.1.1.1192.168.2.80x1e00Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:00.110347033 CET1.1.1.1192.168.2.80x2ca6Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:05.347250938 CET1.1.1.1192.168.2.80x3202Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:10.630876064 CET1.1.1.1192.168.2.80x4a85Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:15.084805965 CET1.1.1.1192.168.2.80x6814Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:20.063033104 CET1.1.1.1192.168.2.80x1ebcName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:25.596714020 CET1.1.1.1192.168.2.80x1de0Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:28.693099022 CET1.1.1.1192.168.2.80xbab8No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 13:24:28.693099022 CET1.1.1.1192.168.2.80xbab8No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:30.055006027 CET1.1.1.1192.168.2.80x2151Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:35.604775906 CET1.1.1.1192.168.2.80x5f3bName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:40.052668095 CET1.1.1.1192.168.2.80x47d5Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:45.052067041 CET1.1.1.1192.168.2.80x5acbName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:50.054250002 CET1.1.1.1192.168.2.80x6401Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:24:55.541901112 CET1.1.1.1192.168.2.80xd861Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:00.542938948 CET1.1.1.1192.168.2.80xffeaName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:05.055120945 CET1.1.1.1192.168.2.80x6b9dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:10.053042889 CET1.1.1.1192.168.2.80xb059Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:15.051698923 CET1.1.1.1192.168.2.80x329aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:20.052128077 CET1.1.1.1192.168.2.80x28e2Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:25.584173918 CET1.1.1.1192.168.2.80xf228Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:29.125828981 CET1.1.1.1192.168.2.80x3c67No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 13:25:29.125828981 CET1.1.1.1192.168.2.80x3c67No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:30.053647995 CET1.1.1.1192.168.2.80x58b5Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:35.053432941 CET1.1.1.1192.168.2.80xc52Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:40.718411922 CET1.1.1.1192.168.2.80xc473Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:45.053747892 CET1.1.1.1192.168.2.80x7355Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:50.086288929 CET1.1.1.1192.168.2.80x1d00Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:25:55.053072929 CET1.1.1.1192.168.2.80xb511Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:00.565200090 CET1.1.1.1192.168.2.80xa903Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:05.055665016 CET1.1.1.1192.168.2.80xaedaName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:10.064955950 CET1.1.1.1192.168.2.80x9687Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:15.126447916 CET1.1.1.1192.168.2.80x5c7dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:20.052783012 CET1.1.1.1192.168.2.80xc4beName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:25.598747969 CET1.1.1.1192.168.2.80x2b63Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:29.629334927 CET1.1.1.1192.168.2.80x46d2No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 13:26:29.629334927 CET1.1.1.1192.168.2.80x46d2No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:30.534117937 CET1.1.1.1192.168.2.80x73f9Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:35.564107895 CET1.1.1.1192.168.2.80x807bName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:40.102521896 CET1.1.1.1192.168.2.80xe6d8Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:45.052799940 CET1.1.1.1192.168.2.80x1911Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:50.052392960 CET1.1.1.1192.168.2.80x8005Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:26:55.054665089 CET1.1.1.1192.168.2.80xa08aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                  Nov 19, 2024 13:27:00.614614964 CET1.1.1.1192.168.2.80xd544Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:07:22:54
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\loaddll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:loaddll32.exe "C:\Users\user\Desktop\81mieek02V.dll"
                                  Imagebase:0xbf0000
                                  File size:126'464 bytes
                                  MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:07:22:54
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6ee680000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1
                                  Imagebase:0xa40000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,DoAddToFavDlg
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",#1
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0xa40000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6ee680000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:07:22:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x290000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:07:22:58
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,InputFile
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:07:23:01
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\81mieek02V.dll,PrintFile
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:07:23:01
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 672
                                  Imagebase:0x10000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",InputFile
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\81mieek02V.dll",PrintFile
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:20
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0xa40000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:22
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6ee680000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 668
                                  Imagebase:0x10000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:24
                                  Start time:07:23:04
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x290000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:26
                                  Start time:07:23:28
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:07:23:28
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0x7ff6ee680000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:28
                                  Start time:07:23:28
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6ee680000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:29
                                  Start time:07:23:28
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x290000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:30
                                  Start time:07:23:36
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\81mieek02V.dll",DoAddToFavDlg
                                  Imagebase:0xd80000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:31
                                  Start time:07:23:36
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0xa40000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:32
                                  Start time:07:23:36
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6ee680000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:33
                                  Start time:07:23:36
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x290000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.5%
                                    Dynamic/Decrypted Code Coverage:99.6%
                                    Signature Coverage:1.2%
                                    Total number of Nodes:251
                                    Total number of Limit Nodes:10
                                    execution_graph 17047 10007101 17052 10007118 17047->17052 17051 100071a6 Sleep 17051->17052 17052->17051 17053 100071f7 wsprintfA 17052->17053 17056 10005c4c 17052->17056 17071 10003ef4 17052->17071 17074 100061bd 17052->17074 17093 1000570f 17053->17093 17057 10003ef4 wvsprintfA 17056->17057 17058 10005c86 17057->17058 17104 10003f72 PathFileExistsA 17058->17104 17060 10005c92 17061 10005c99 17060->17061 17062 10005c9d 17060->17062 17061->17052 17105 10004015 CreateFileA 17062->17105 17064 10005cbb 17064->17061 17106 10004035 ReadFile 17064->17106 17066 10005cd6 17107 10003f92 CloseHandle 17066->17107 17068 10005cdc 17108 10003f7d StrStrIA 17068->17108 17070 10005ce9 17070->17061 17109 10003ee1 wvsprintfA 17071->17109 17073 10003f06 17073->17052 17075 100061dd 17074->17075 17110 10003f0a InternetOpenA 17075->17110 17077 100061e4 17087 100061ee 17077->17087 17111 10003f24 InternetOpenUrlA 17077->17111 17079 10006206 17080 10006210 17079->17080 17081 10006219 17079->17081 17112 10003f58 InternetCloseHandle 17080->17112 17083 10006276 17081->17083 17089 1000621f 17081->17089 17115 10003f58 InternetCloseHandle 17083->17115 17085 10006216 17116 10003f58 InternetCloseHandle 17085->17116 17087->17052 17090 1000626c 17089->17090 17113 10003f41 InternetReadFile 17089->17113 17114 10003f92 CloseHandle 17090->17114 17092 10006274 17092->17083 17094 1000571c 17093->17094 17095 10005724 wsprintfA 17094->17095 17117 10005318 17095->17117 17097 10005776 wsprintfA wsprintfA 17119 10035e22 17097->17119 17104->17060 17105->17064 17106->17066 17107->17068 17108->17070 17109->17073 17110->17077 17111->17079 17112->17085 17113->17089 17114->17092 17115->17085 17116->17087 17118 10005325 17117->17118 17118->17097 17120 1003bf35 17119->17120 17134 10004482 17135 1000448d 17134->17135 17138 100040ba RegOpenKeyExA 17135->17138 17137 100044a4 17138->17137 17139 10006dc4 17141 10006dce 17139->17141 17140 10006ec4 17141->17140 17142 10003ef4 wvsprintfA 17141->17142 17143 10006e8f 17142->17143 17144 10003ef4 wvsprintfA 17143->17144 17145 10006eb8 17144->17145 17147 10006290 17145->17147 17148 100062a2 17147->17148 17157 10003f0a InternetOpenA 17148->17157 17150 100062a9 17156 100062da 17150->17156 17158 10003f24 InternetOpenUrlA 17150->17158 17152 100062c4 17159 10003f58 InternetCloseHandle 17152->17159 17154 100062d4 17160 10003f58 InternetCloseHandle 17154->17160 17156->17140 17157->17150 17158->17152 17159->17154 17160->17156 17161 10005846 17162 1000584d 17161->17162 17163 10005862 17162->17163 17165 10003eb4 gethostbyname 17162->17165 17165->17163 17166 10008567 Sleep 17167 1000858a 17166->17167 17168 100061bd 5 API calls 17167->17168 17169 100085b1 17168->17169 17170 100085ba Sleep 17169->17170 17171 100085c3 17169->17171 17170->17169 17172 1000826c 17173 100082a6 17172->17173 17174 10005c4c 6 API calls 17173->17174 17175 10003ef4 wvsprintfA 17173->17175 17176 100061bd 5 API calls 17173->17176 17177 1000838e Sleep 17173->17177 17179 100083df wsprintfA 17173->17179 17180 1000720e 17173->17180 17174->17173 17175->17173 17176->17173 17177->17173 17179->17173 17181 10007218 17180->17181 17183 1000726f 17181->17183 17185 1000756c 17181->17185 17209 10007a62 17181->17209 17183->17185 17213 1000504d 17183->17213 17185->17173 17186 100072b4 17187 10007404 17186->17187 17217 10007ccb 17186->17217 17187->17185 17190 10007ccb MultiByteToWideChar 17187->17190 17189 100072fb 17189->17187 17192 1000504d MultiByteToWideChar 17189->17192 17191 100074a5 17190->17191 17191->17185 17193 1000504d MultiByteToWideChar 17191->17193 17194 1000731d SafeArrayCreate VariantInit SafeArrayCreate VariantInit 17192->17194 17195 100074ca 17193->17195 17198 1000504d MultiByteToWideChar 17194->17198 17196 1000504d MultiByteToWideChar 17195->17196 17199 100074d9 SafeArrayCreate 17196->17199 17201 10007392 17198->17201 17202 10007519 17199->17202 17204 1000504d MultiByteToWideChar 17201->17204 17203 1000504d MultiByteToWideChar 17202->17203 17205 1000752f 17203->17205 17206 100073cb 17204->17206 17207 1000504d MultiByteToWideChar 17205->17207 17208 1000504d MultiByteToWideChar 17206->17208 17207->17185 17208->17187 17210 10007a6c 17209->17210 17211 1000504d MultiByteToWideChar 17210->17211 17212 10007ab6 17210->17212 17211->17212 17212->17183 17214 10005057 17213->17214 17216 10005078 17214->17216 17221 100050f5 17214->17221 17216->17186 17218 10007cd5 17217->17218 17219 1000504d MultiByteToWideChar 17218->17219 17220 10007ce9 17218->17220 17219->17220 17220->17189 17224 1000d0ae 17221->17224 17223 1000510c 17223->17216 17225 1000d0bd 17224->17225 17227 1000d0b9 17224->17227 17226 1000d0d6 MultiByteToWideChar 17225->17226 17226->17227 17227->17223 17228 100044ad 17230 10004489 17228->17230 17229 100044d9 GetExtendedUdpTable 17229->17230 17230->17228 17230->17229 17231 100044fe 17230->17231 17233 10004456 17230->17233 17232 10004509 GetExtendedUdpTable 17231->17232 17231->17233 17232->17233 17234 10004351 17236 1000436c 17234->17236 17235 10004370 17236->17235 17237 10004399 Sleep 17236->17237 17238 100043b3 17237->17238 17239 100043e0 Sleep 17238->17239 17240 100043ef 17239->17240 17240->17235 17241 100087b6 17242 100087bb CreateThread Sleep CreateThread Sleep 17241->17242 17243 100087eb 17242->17243 17244 1000841c 17242->17244 17249 10006a6e 17242->17249 17248 10008429 17244->17248 17245 100085ba Sleep 17247 1000855a Sleep 17247->17248 17248->17245 17248->17247 17250 10006a82 17249->17250 17259 10003ece CreateMutexA 17250->17259 17252 10006aa3 GetLastError 17253 10006b0b 17252->17253 17254 10006ab4 17252->17254 17256 10006ae1 CreateThread 17254->17256 17257 10006ad8 Sleep 17254->17257 17260 10006499 17254->17260 17258 10006b02 17256->17258 17279 1000687e 17256->17279 17257->17254 17258->17257 17259->17252 17261 100064a3 17260->17261 17262 100064e9 wsprintfA 17261->17262 17263 10006508 17262->17263 17276 10003f0a InternetOpenA 17263->17276 17265 1000652b 17266 100066d0 17265->17266 17277 10003f24 InternetOpenUrlA 17265->17277 17266->17254 17268 1000654b 17268->17266 17274 10006559 ctype 17268->17274 17270 100065bf MultiByteToWideChar 17270->17274 17271 100065d7 MultiByteToWideChar 17271->17274 17272 100066df wsprintfA 17275 100066b0 ctype 17272->17275 17273 10006647 17273->17272 17273->17275 17274->17270 17274->17271 17274->17273 17278 10003f41 InternetReadFile 17274->17278 17275->17266 17276->17265 17277->17268 17278->17274 17280 100068aa 17279->17280 17287 10005db4 17280->17287 17282 100068ec 17283 100068c0 17283->17282 17284 10005f15 8 API calls 17283->17284 17299 10005f98 17283->17299 17308 10003f63 ExitWindowsEx 17283->17308 17284->17283 17288 10005de5 17287->17288 17292 10005e1e 17288->17292 17309 1000409d RegQueryValueExA 17288->17309 17290 10005e16 17310 10004092 RegCloseKey 17290->17310 17293 10003ef4 wvsprintfA 17292->17293 17294 10005e89 17293->17294 17311 10005cf7 17294->17311 17297 10003ef4 wvsprintfA 17298 10005ee1 17297->17298 17298->17283 17300 10005fb9 17299->17300 17301 10003ef4 wvsprintfA 17299->17301 17334 10004015 CreateFileA 17300->17334 17301->17300 17303 10005fe3 17303->17283 17304 10005fd9 17304->17303 17335 10003f9d WriteFile 17304->17335 17306 10005fff 17336 10003f92 CloseHandle 17306->17336 17308->17283 17309->17290 17310->17292 17312 10003ef4 wvsprintfA 17311->17312 17313 10005d31 17312->17313 17328 10003f72 PathFileExistsA 17313->17328 17315 10005d3d 17316 10005d44 17315->17316 17317 10005d48 17315->17317 17316->17297 17316->17298 17329 10004015 CreateFileA 17317->17329 17319 10005d66 17319->17316 17330 10004035 ReadFile 17319->17330 17321 10005d81 17331 10003f92 CloseHandle 17321->17331 17323 10005d87 17332 10003f7d StrStrIA 17323->17332 17325 10005d94 17325->17316 17333 10003f7d StrStrIA 17325->17333 17327 10005da8 17327->17316 17328->17315 17329->17319 17330->17321 17331->17323 17332->17325 17333->17327 17334->17304 17335->17306 17336->17303 17337 10006ed6 17340 10006cf7 17337->17340 17350 10003ff7 GetShortPathNameA 17340->17350 17342 10006d32 17351 1000406c RegCreateKeyExA 17342->17351 17344 10006d60 wsprintfA 17345 10006d9a 17344->17345 17352 100040d4 RegSetValueExA 17345->17352 17347 10006db3 17353 10004092 RegCloseKey 17347->17353 17349 10006dbe 17350->17342 17351->17344 17352->17347 17353->17349 17354 100081f7 17357 10008200 17354->17357 17355 10007f3e 8 API calls 17355->17357 17357->17355 17358 1000825f Sleep 17357->17358 17359 1000400a GetDriveTypeA 17357->17359 17358->17357 17359->17357 17360 10006ede 17361 10006eeb 17360->17361 17362 10006f1f Sleep 17361->17362 17363 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 17361->17363 17364 10006f2c 17361->17364 17362->17361 17363->17361 17365 10005c4c 6 API calls 17364->17365 17366 10003ef4 wvsprintfA 17364->17366 17367 100061bd 5 API calls 17364->17367 17368 10007053 Sleep 17364->17368 17369 10007092 wsprintfA 17364->17369 17370 100070c8 PrintFile PrintFile 17364->17370 17365->17364 17366->17364 17367->17364 17368->17364 17369->17364 17370->17364 17371 10006b1f 17372 10006b3c 17371->17372 17379 10003ece CreateMutexA 17372->17379 17374 10006b50 GetLastError 17375 10006b90 17374->17375 17376 10006b61 CreateThread 17374->17376 17377 10006b7b 17376->17377 17380 1000687e 14 API calls 17376->17380 17378 10006b83 Sleep 17377->17378 17378->17376 17379->17374

                                    Executed Functions

                                    Function 10007F3E Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 230COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$12010043$L2ltYWdlLnBocA==$NPKI$P
                                    • API String ID: 0-3984435826
                                    • Opcode ID: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                    • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                    • Opcode Fuzzy Hash: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                    • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                    Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 3332741929-0
                                    • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                    • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                    • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                    • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                    Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                    • Sleep.KERNEL32 ref: 10007059
                                    • wsprintfA.USER32 ref: 1000709D
                                    • PrintFile.81MIEEK02V(00000000,?,00000000), ref: 100070D6
                                    • PrintFile.81MIEEK02V(00000000,?,00000000,?,00000000), ref: 100070E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FilePrintSleep$wsprintf
                                    • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                    • API String ID: 1547040302-3813294871
                                    • Opcode ID: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                    • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                    • Opcode Fuzzy Hash: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                    • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                    Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • wsprintfA.USER32 ref: 100064F7
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                      • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                      • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,75570ECC,0007D000,00000000,00000000), ref: 100065C8
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,75570ECC,0007D000,00000000,00000000), ref: 100065E6
                                    • wsprintfA.USER32 ref: 100066E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                    • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                    • API String ID: 4077377486-2496724313
                                    • Opcode ID: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
                                    • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                    • Opcode Fuzzy Hash: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
                                    • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                    Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                      • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2
                                      • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CloseFormatQueryTimeValue___crt
                                    • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                    • API String ID: 271660946-3893357082
                                    • Opcode ID: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                    • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                    • Opcode Fuzzy Hash: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                    • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                    Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                      • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                    • wsprintfA.USER32 ref: 10006D88
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                      • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,dtfd,00000000,00000001,?,00000001,?), ref: 100040E9
                                      • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                    • String ID: %s "%s",DoAddToFavDlg$C:\Users\user\Desktop\81mieek02V.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                    • API String ID: 1762869224-426308641
                                    • Opcode ID: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                    • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                    • Opcode Fuzzy Hash: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                    • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                    Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                    • wsprintfA.USER32 ref: 100083E6
                                    Strings
                                    • 8.8.8.8, xrefs: 100083EF
                                    • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                    • 127.0.0.1, xrefs: 100083F4
                                    • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                    • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                    • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                    • API String ID: 1749205058-626475063
                                    • Opcode ID: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                    • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                    • Opcode Fuzzy Hash: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                    • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                    Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    • GetLastError.KERNEL32 ref: 10006AA8
                                      • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                      • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                    • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                    • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                    • String ID: 0x5d65r455f$5762479093
                                    • API String ID: 3244495550-2446933972
                                    • Opcode ID: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                    • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                    • Opcode Fuzzy Hash: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                    • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                    Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(00002710), ref: 1000857E
                                    • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                    • API String ID: 3472027048-3516831565
                                    • Opcode ID: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                    • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                    • Opcode Fuzzy Hash: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                    • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                    Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 100044E9
                                    • GetExtendedUdpTable.IPHLPAPI(?,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 10004513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExtendedTable
                                    • String ID: GetExtendedUdpTable$iphlpapi.dll
                                    • API String ID: 2407854163-1809394930
                                    • Opcode ID: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                    • Instruction ID: 6449560a486cb6172ee975f2d37c1f40bf8993c7a1880d61e14318031523e361
                                    • Opcode Fuzzy Hash: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                    • Instruction Fuzzy Hash: D1215CB5500508BFEB20DB69DC46EAF77BCDF813D1F214519F9119A086DE30AE808674
                                    Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                    Strings
                                    • svchsot.exe, xrefs: 10008524
                                    • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                    • API String ID: 3472027048-2214221337
                                    • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                    • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                    • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                    • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                    Function 100087B6 Relevance: 6.0, APIs: 4, Instructions: 27sleepthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 490 100087b6-100087ea CreateThread Sleep CreateThread Sleep 492 100087eb-100087f2 490->492
                                    APIs
                                    • CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
                                    • Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
                                    • CreateThread.KERNEL32(?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
                                    • Sleep.KERNEL32(000000FF,?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E8
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateSleepThread
                                    • String ID:
                                    • API String ID: 4202482776-0
                                    • Opcode ID: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                    • Instruction ID: 2df9746d7e78e8372c6e87ac4aa0691d1060a96339f5c4ce5d4c7b8b7a8da0f8
                                    • Opcode Fuzzy Hash: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                    • Instruction Fuzzy Hash: 46E05EE024435DBDF321B2791CC8DFF1E0DEB812FCB254252F528100CB6A540D048AB2
                                    Function 10006B1F Relevance: 4.6, APIs: 3, Instructions: 122sleepthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 494 10006b1f-10006b5f call 1002005c call 10003ece GetLastError 499 10006b90-10006bc0 call 1002a5e7 call 10038e15 494->499 500 10006b61-10006b8e CreateThread call 1002420a call 1002ab9b Sleep 494->500 510 10006bc2-10006bc5 499->510 511 10006bca-10006bcf 499->511 514 10006c66-10006c68 510->514 512 10006bd5-10006bd6 511->512 513 10006c56-10006c65 call 1000ccf2 511->513 515 10006bd9-10006be3 512->515 513->514 517 10006be5-10006be9 515->517 518 10006beb-10006bf1 515->518 517->518 520 10006bf3-10006bf7 518->520 521 10006bf9-10006c3a 518->521 520->521 522 10006c40-10006c45 521->522 523 10006c3c 521->523 524 10006c47 522->524 525 10006c4b-10006c50 522->525 523->522 524->525 525->515 526 10006c52-10006c55 525->526 526->513
                                    APIs
                                      • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    • GetLastError.KERNEL32 ref: 10006B55
                                    • CreateThread.KERNEL32(?,?,1000687E), ref: 10006B6B
                                    • Sleep.KERNEL32(00002710,?,00000000,00000000,000000FF,?,?,1000687E), ref: 10006B88
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create$ErrorLastMutexSleepThread
                                    • String ID:
                                    • API String ID: 145085098-0
                                    • Opcode ID: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                    • Instruction ID: 4f35827bfa7b5ea93410d600da94e256639eda4c8ceaa52b9f8b13dee9a51c26
                                    • Opcode Fuzzy Hash: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                    • Instruction Fuzzy Hash: 463182714043905EF716DB284C45EA7BFAEDF5A390B14416AF8A5CB287D620D941C771
                                    Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 527 10007101-10007119 call 1000cc9e 530 1000711b-10007160 call 10005c4c 527->530 533 10007162-10007169 530->533 534 1000716b 530->534 535 10007170-100071a4 call 10003ef4 call 1000ccec call 100061bd 533->535 534->535 542 100071a6-100071b2 Sleep 535->542 543 100071b7-100071bb 535->543 542->530 544 100071d9-100071e3 call 1000ccf2 543->544 545 100071bd-100071c7 543->545 544->542 551 100071e5-100071f5 call 1000cde2 544->551 546 100071c9-100071cd 545->546 547 100071cf 545->547 549 100071d3-100071d7 546->549 547->549 549->544 549->545 551->542 554 100071f7-1000720c wsprintfA call 1000570f 551->554 554->542
                                    APIs
                                    Strings
                                    • http://107.160.131.254:23588/article.php, xrefs: 1000716B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: http://107.160.131.254:23588/article.php
                                    • API String ID: 1749205058-3833642815
                                    • Opcode ID: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                    • Instruction ID: aabc6cc0ccec88c78b37051fa20fdae4f9ca8aa4d7268392f08ad21868547801
                                    • Opcode Fuzzy Hash: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                    • Instruction Fuzzy Hash: 462129B6D046557AF724D368CC56FCF37ACEF053D0F2000A6F608A50C6E679AE818A11
                                    Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                    Strings
                                    • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FormatInternetOpenTime___crt
                                    • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                    • API String ID: 483802873-1756078650
                                    • Opcode ID: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
                                    • Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
                                    • Opcode Fuzzy Hash: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
                                    • Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660
                                    Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                      • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                    Strings
                                    • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InternetOpen$FormatTime___crt
                                    • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                    • API String ID: 1165476586-1918919809
                                    • Opcode ID: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                    • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                    • Opcode Fuzzy Hash: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                    • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                    Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: C:\Program Files
                                    • API String ID: 3472027048-1387799010
                                    • Opcode ID: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                    • Instruction ID: c9703108929f2dc2805788eab40c91aa3f5a92b87bc929f4f41ff718cce9746c
                                    • Opcode Fuzzy Hash: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                    • Instruction Fuzzy Hash: 40F0723A905AA1A6F701DFA409C068B776DFF022A0B210026F840BF047C7B18E0243E2
                                    Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                    • Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
                                    • Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                    • Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91
                                    Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                    • Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
                                    • Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                    • Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1
                                    Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InternetOpen
                                    • String ID:
                                    • API String ID: 2038078732-0
                                    • Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                    • Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
                                    • Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                    • Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95
                                    Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                    • Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
                                    • Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                    • Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02
                                    Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: NamePathShort
                                    • String ID:
                                    • API String ID: 1295925010-0
                                    • Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                    • Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
                                    • Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                    • Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12
                                    Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                    • Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
                                    • Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                    • Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12
                                    Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32Next.KERNEL32(00000000,00000000), ref: 1000411D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                    • Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
                                    • Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                    • Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12
                                    Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDriveTypeA.KERNEL32(?,1000824C,10015940), ref: 1000400E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: DriveType
                                    • String ID:
                                    • API String ID: 338552980-0
                                    • Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                    • Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
                                    • Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                    • Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01
                                    Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                    • Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
                                    • Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                    • Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01
                                    Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • gethostbyname.WS2_32(00000000), ref: 10003EB8
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: gethostbyname
                                    • String ID:
                                    • API String ID: 930432418-0
                                    • Opcode ID: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                    • Instruction ID: ddc175de635f80408d7ee48a1059bf0ffdd1ba2c9e36570999931cb834b2f0bc
                                    • Opcode Fuzzy Hash: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                    • Instruction Fuzzy Hash: F7900270545110ABDE015B21CF4A4097A61AB85B01B048454E14940031C7318810EA12
                                    Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID:
                                    • API String ID: 1174141254-0
                                    • Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                    • Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
                                    • Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                    • Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01

                                    Non-executed Functions

                                    Function 1000B224 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                    • Instruction ID: 6c5504f13a17a8b4553fb93f6e314e3eb43bbcef24ba1366296fc093faca9512
                                    • Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                    • Instruction Fuzzy Hash: 13D1F2311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771
                                    Function 1000AEC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                    • Instruction ID: a9c7f45465d92fcd6248bf8d3b75336943ce7982e690b294f387925eaf45448f
                                    • Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                    • Instruction Fuzzy Hash: 6F9143311046896EDB21CFAD8C80EFFBBBCAF06A40F840549FE85C7642D255E92DA771
                                    Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FileInternetRead
                                    • String ID:
                                    • API String ID: 778332206-0
                                    • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                    • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                    • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                    • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                    Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExitWindows
                                    • String ID:
                                    • API String ID: 1089080001-0
                                    • Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                    • Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
                                    • Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                    • Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02
                                    Function 100121ED Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: '
                                    • API String ID: 0-1997036262
                                    • Opcode ID: caccb626b00a962d49a4d86a0300a1125d2220d93bea72919c028e0ffa6b786b
                                    • Instruction ID: f389f15fd0a8877f73eb6a91fb6ffbaafb7a2d8a217a3cbe01a0a4cb358a3832
                                    • Opcode Fuzzy Hash: caccb626b00a962d49a4d86a0300a1125d2220d93bea72919c028e0ffa6b786b
                                    • Instruction Fuzzy Hash: 5581276940E3D19FC7438B785CF91823FA2AE1B24434F09DAC4C09F4B7E1995D49C7A2
                                    Function 1000B70D Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                    • Instruction ID: 9e0b5d620d62c11970e9cc848d1ca02f4ed839136e4bfa4bb83daef4b24ba54e
                                    • Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                    • Instruction Fuzzy Hash: AA313A33E2C6B607E324DF7E4C84025F7D6EB8A06275A8779DE88E7255D128EC518BD0
                                    Function 10008AAD Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                    • Instruction ID: 9deb1ace0ade157a7cf376dc79b16b2541233208deadd1a3cef8bf08dc3f5488
                                    • Opcode Fuzzy Hash: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                    • Instruction Fuzzy Hash: 43F0682128E3C15DE30186685441BC1FF846B76314F0CC7CDB1D40B283C1954084CBA6
                                    Function 1001E1FE Relevance: .0, Instructions: 30COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                    • Instruction ID: f0cb1bca0584f7cb9865d2b0003cd1252f49916ae924d73bcd8c513b2b9b2d6d
                                    • Opcode Fuzzy Hash: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                    • Instruction Fuzzy Hash: 11E0E5A440C38AFEC703AB3488840E93FA6EE91310F04840CF4C403A02E3B589A09332
                                    Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                    • VariantInit.OLEAUT32(?), ref: 1000734D
                                    • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                    • VariantInit.OLEAUT32(?), ref: 10007377
                                      • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                    • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                    • VariantInit.OLEAUT32(?), ref: 10007513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant$ArrayCreateSafe
                                    • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=5w
                                    • API String ID: 2640012081-3861124693
                                    • Opcode ID: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                    • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                    • Opcode Fuzzy Hash: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                    • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                    Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID: %s\%s$%s\version.txt$12010043$12010043$C:\Users\user\Desktop$C:\Users\user\Desktop\12010043$C:\Users\user\Desktop\81mieek02V.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB45F69C$M%s$Mhost123.zz.am:6658$host123.zz.am:6658
                                    • API String ID: 2111968516-2540919926
                                    • Opcode ID: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                    • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                    • Opcode Fuzzy Hash: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                    • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                    Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 10004EC5
                                    • VariantInit.OLEAUT32(?), ref: 10004ECB
                                    • VariantInit.OLEAUT32(?), ref: 10004ED1
                                    • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 10005009
                                    • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 1000500F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant
                                    • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=5w$svchost.exe$svchost.exe -k NetworkService
                                    • API String ID: 1927566239-4270180057
                                    • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                    • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                    • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                    • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                    Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 1000574F
                                    • wsprintfA.USER32 ref: 100057B1
                                    • wsprintfA.USER32 ref: 100057C5
                                    • PrintFile.81MIEEK02V(?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000,?,1000720C), ref: 100057E8
                                    • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,00000000), ref: 10005835
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf$CreateFilePrintThread
                                    • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                    • API String ID: 1788855648-1421401311
                                    • Opcode ID: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                    • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                    • Opcode Fuzzy Hash: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                    • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                    Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 10005437
                                    • wsprintfA.USER32 ref: 1000549E
                                    • wsprintfA.USER32 ref: 100054BC
                                    • PrintFile.81MIEEK02V(?,?,10016594,?,00000000), ref: 100054DE
                                    • wsprintfA.USER32 ref: 10005582
                                    • Sleep.KERNEL32(000003E8,00000000,76C08400,?,40000000,00000001,00000000,00000002,00000000,00000000,7541C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                    Strings
                                    • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                    • c:\windows\system32\drivers\%s, xrefs: 10005498
                                    • %s\%s, xrefs: 10005431
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf$FilePrintSleep
                                    • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                    • API String ID: 518940211-4228670124
                                    • Opcode ID: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                    • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                    • Opcode Fuzzy Hash: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                    • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                    Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(?,?,?,cmd.exe), ref: 100043A6
                                    • Sleep.KERNEL32(000003E8), ref: 100043E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                    • API String ID: 3472027048-2620343502
                                    • Opcode ID: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                    • Instruction ID: 2962837d3e63ffe82077fec71eea4cc39f059f6aab2461bdb2792d37a05628b4
                                    • Opcode Fuzzy Hash: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                    • Instruction Fuzzy Hash: 370126BA000394BAFB12BB74EC46F9E3B5CDF452E2F120016F9446D086CEB5AA804565
                                    Function 10005F15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?,000000BC,00000000,?,00000128,00000000), ref: 10005F21
                                      • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,00000000,00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?), ref: 10004132
                                      • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                      • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(00000000,00000010,?,00000000,00000000,10005F7E,?,10005F7E,00000000,00000000,?,00000010,00000000,00000000), ref: 10004064
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop
                                    • API String ID: 3793502078-2679580386
                                    • Opcode ID: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                    • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                    • Opcode Fuzzy Hash: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                    • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                    Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                    • API String ID: 1721638100-2691734327
                                    • Opcode ID: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                    • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                    • Opcode Fuzzy Hash: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                    • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                    Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                    • API String ID: 1721638100-4272537799
                                    • Opcode ID: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                    • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                    • Opcode Fuzzy Hash: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                    • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660
                                    Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • C:\Users\user\Desktop, xrefs: 1000880B
                                    • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                    • API String ID: 1749205058-715194466
                                    • Opcode ID: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                    • Instruction ID: cb8f3af107b47666e7401f40fe0349a9d09f1feb376e898973d7629cffdb37cc
                                    • Opcode Fuzzy Hash: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                    • Instruction Fuzzy Hash: 00F0AEF250019DABEB15CBA4CC857EA3768FF04285F040975F705F5051DBB19AC44A55
                                    Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant
                                    • String ID: $p=5w
                                    • API String ID: 1927566239-2851331367
                                    • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                    • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                    • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                    • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                    Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                      • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3944815124.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3944781524.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944858701.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944900929.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3944947368.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945004798.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3945048555.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop
                                    • API String ID: 3486561800-2679580386
                                    • Opcode ID: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                    • Instruction ID: 2e9b22e8cb94d114ab57fa925500967999958ebf182bde47e5e7f2d31677baea
                                    • Opcode Fuzzy Hash: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                    • Instruction Fuzzy Hash: 23E0687290112432E670D1669C07FCF3E9CDB857F4F000220B688E60C4DAB4AAC4C6E0