Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jYAKmjIPgI.dll

Overview

General Information

Sample name:jYAKmjIPgI.dll
renamed because original name is a hash value
Original sample name:20514624060a4c8d965a20ee9a7789237081988d.dll
Analysis ID:1558492
MD5:53bd35fc7c146ce64dae892fb6bf5fbb
SHA1:20514624060a4c8d965a20ee9a7789237081988d
SHA256:dfb1117e6d202d6d5bdd30b67516a1589b4f8f636d42509aca46efaa51bd9b7c
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
PE file has a writeable .text section
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2404 cmdline: loaddll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5448 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2544 cmdline: rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 2960 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 5740 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 6196 cmdline: rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6236 cmdline: rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1764 cmdline: rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2548 cmdline: rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 5368 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 1012 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • rundll32.exe (PID: 5368 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7024 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 1968 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 2136 cmdline: rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1592 cmdline: rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5932 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 6944 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 5720 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 1016 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtfd

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: jYAKmjIPgI.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: jYAKmjIPgI.dllReversingLabs: Detection: 97%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: jYAKmjIPgI.dllJoe Sandbox ML: detected
Source: jYAKmjIPgI.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,5_2_10007F3E
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.160.131.253 ports 1,5,6,8,9,18659
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.6:49705 -> 107.160.131.253:18659
Source: global trafficTCP traffic: 192.168.2.6:49704 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.6:49737 -> 107.160.131.254:23588
Source: Joe Sandbox ViewIP Address: 202.108.0.52 202.108.0.52
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: global trafficTCP traffic: 192.168.2.6:49762 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10003F41 InternetReadFile,5_2_10003F41
Source: global trafficDNS traffic detected: DNS query: host123.zz.am
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, rundll32.exe, 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.253:18659/
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.253:18659//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mtiWmtaWndm
Source: rundll32.exe, rundll32.exe, 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php(
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php.
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php/
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php4n
Source: rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php5
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php=
Source: rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpB
Source: rundll32.exe, 00000005.00000002.4619774696.00000000055CD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4621511995.00000000057EA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpC:
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpDo
Source: rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpm
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpnager_cw5n1h2tx
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phppn
Source: rundll32.exe, 00000005.00000002.4619774696.00000000055CD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4619663807.000000000554D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.13I
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000005.00000002.4913750024.0000000038F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4613450552.0000000004732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000005.00000002.4623447419.0000000005A0D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093$
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093;
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093C
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093i
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093i/
Source: rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ication
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.rsac.org/ratingsv01.html

System Summary

barindex
PE file has a writeable .text section
Source: jYAKmjIPgI.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10008AAD: DeviceIoControl,5_2_10008AAD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10003F63 ExitWindowsEx,5_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10003F63 ExitWindowsEx,11_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_10003F63 ExitWindowsEx,18_2_10003F63
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007700CD1_2_007700CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_029800CD4_2_029800CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000B2245_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000B70D5_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100121ED5_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000AEC05_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02AA00CD5_2_02AA00CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005B00CD10_2_005B00CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B22411_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B70D11_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100121ED11_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000AEC011_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_047600CD11_2_047600CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_046000CD16_2_046000CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_045900CD17_2_045900CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_1000B22418_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_1000B70D18_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_100121ED18_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_1000AEC018_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_033C00CD18_2_033C00CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_030600CD26_2_030600CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 909 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10009125 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000CD90 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 676
Source: jYAKmjIPgI.dllBinary or memory string: OriginalFilenamejscript.dllL vs jYAKmjIPgI.dll
Source: jYAKmjIPgI.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: jYAKmjIPgI.dllStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jYAKmjIPgI.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@42/10@51/5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1000404F AdjustTokenPrivileges,5_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000404F AdjustTokenPrivileges,11_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_1000404F AdjustTokenPrivileges,18_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10003FB7 CreateToolhelp32Snapshot,5_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12010043Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\host123.zz.am:6658
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Mhost123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1592
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1764
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b0c3e9e0-44fb-4733-b7b8-33370212914bJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1
Source: jYAKmjIPgI.dllReversingLabs: Detection: 97%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 676
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 676
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770E9F LoadLibraryA,GetProcAddress,1_2_00770E9F
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: jYAKmjIPgI.dllStatic PE information: real checksum: 0x31f33 should be: 0x36883
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1003900A push dword ptr [esp+4Ch]; retn 0050h5_2_1003901C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10027023 push dword ptr [esp+18h]; retn 001Ch5_2_1002A254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F024 push dword ptr [esp+14h]; retn 0018h5_2_1002F036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10029029 push dword ptr [esp+38h]; retn 003Ch5_2_10027C71
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10029029 pushad ; mov dword ptr [esp], 73E57D1Ah5_2_10029046
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1003B02D push dword ptr [esp+50h]; retn 0054h5_2_1003B061
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F039 push esp; mov dword ptr [esp], B1CF2C6Dh5_2_1002F051
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F039 push dword ptr [esp+50h]; retn 0054h5_2_1002F068
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10035048 push dword ptr [esp+50h]; retn 0054h5_2_100351D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10033059 push dword ptr [esp+50h]; retn 0054h5_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10033064 push dword ptr [esp+50h]; retn 0054h5_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002D06D push dword ptr [esp+38h]; retn 003Ch5_2_1002D08D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10031079 push dword ptr [esp+30h]; retn 0034h5_2_10031095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10027080 push ebp; mov dword ptr [esp], edx5_2_1002FD0B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10027080 push dword ptr [esp+04h]; retn 0008h5_2_1002FD4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10023085 push dword ptr [esp+38h]; retn 003Ch5_2_10023093
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10023096 push dword ptr [esp+50h]; retn 0054h5_2_100230B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100330A5 push dword ptr [esp+2Ch]; retn 0030h5_2_1002B78C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100330A5 push dword ptr [esp+04h]; retn 0008h5_2_1003B2DF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100230B6 push dword ptr [esp+34h]; retn 0038h5_2_1002F874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100270BA push dword ptr [esp+34h]; retn 0038h5_2_1002AD33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100250BC push dword ptr [esp+44h]; retn 0048h5_2_1003408E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002F0D4 push dword ptr [esp+0Ch]; retn 0014h5_2_1002F0EF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h5_2_100282E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h5_2_100338DA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100350D9 push dword ptr [esp+50h]; retn 0054h5_2_10035102
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100250D9 push dword ptr [esp+14h]; retn 0018h5_2_100250F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002B0E4 push dword ptr [esp+48h]; retn 004Ch5_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002D0EF push dword ptr [esp+10h]; retn 0014h5_2_1002D116
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1002B0EF push dword ptr [esp+48h]; retn 004Ch5_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10039107 push dword ptr [esp+4Ch]; retn 0050h5_2_10039116
Source: jYAKmjIPgI.dllStatic PE information: section name: .text entropy: 7.997797944306588

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_5-17740
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001E1FE rdtsc 5_2_1001E1FE
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 613Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 5325Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.6 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.6 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6724Thread sleep count: 613 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6724Thread sleep time: -1103400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1804Thread sleep count: 62 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1804Thread sleep time: -620000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5988Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4544Thread sleep time: -2160000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2940Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3360Thread sleep time: -4200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 992Thread sleep time: -3300000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1524Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5936Thread sleep time: -7200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6724Thread sleep count: 5325 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6724Thread sleep time: -9585000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5988Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,5_2_10007F3E
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: VMware
Source: rundll32.exe, 00000005.00000003.2470438351.00000000005C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: rundll32.exe, 00000005.00000002.4612359732.00000000004FB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000005.00000002.4612672971.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: vmci.sys
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: VMware20,1
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000005.00000002.4613450552.00000000046AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Applications\\VMwareHostOpen.exe
Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_1-401
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_1-390
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-392
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-381
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_5-17785
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_5-17774
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_10-398
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_10-387
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_11-17328
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_11-17339
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_16-398
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_16-387
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_17-392
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_17-381
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_18-17342
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_18-17331
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_26-401
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_26-390
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_1001E1FE rdtsc 5_2_1001E1FE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000CCF2 LdrInitializeThunk,11_2_1000CCF2
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00770E9F LoadLibraryA,GetProcAddress,1_2_00770E9F

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.14.dr, Amcache.hve.14.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory111
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
Process Injection		2
Software Packing		Security Account Manager31
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Rundll32		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558492 Sample: jYAKmjIPgI.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 65 host123.zz.am 2->65 67 blogx.sina.com.cn 2->67 69 blog.sina.com.cn 2->69 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Machine Learning detection for sample 2->77 79 3 other signatures 2->79 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        signatures3 process4 process5 14 cmd.exe 1 10->14         started        17 rundll32.exe 1 14 10->17         started        20 rundll32.exe 10->20         started        24 5 other processes 10->24 22 cmd.exe 12->22         started        dnsIp6 89 Uses ping.exe to sleep 14->89 91 Uses ping.exe to check the status of other devices and networks 14->91 26 rundll32.exe 14->26         started        59 107.163.56.110, 18530 TAKE2US United States 17->59 61 107.160.131.253, 18659 AS40676US United States 17->61 63 2 other IPs or domains 17->63 93 System process connects to network (likely due to code injection or exploit) 17->93 95 Creates an autostart registry key pointing to binary in C:\Windows 17->95 97 Queries disk data (e.g. SMART data) 17->97 29 rundll32.exe 20->29         started        31 cmd.exe 20->31         started        33 conhost.exe 22->33         started        35 PING.EXE 22->35         started        37 WerFault.exe 20 16 24->37         started        39 WerFault.exe 24->39         started        signatures7 process8 signatures9 83 Found evasive API chain (may stop execution after checking mutex) 26->83 85 Queries disk data (e.g. SMART data) 26->85 41 cmd.exe 1 26->41         started        44 cmd.exe 29->44         started        87 Uses ping.exe to sleep 31->87 46 conhost.exe 31->46         started        48 PING.EXE 31->48         started        process10 signatures11 81 Uses ping.exe to sleep 41->81 50 PING.EXE 1 41->50         started        53 conhost.exe 41->53         started        55 conhost.exe 44->55         started        57 PING.EXE 44->57         started        process12 dnsIp13 71 127.0.0.1 unknown unknown 50->71

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
jYAKmjIPgI.dll97%ReversingLabsWin32.Backdoor.Zegost
jYAKmjIPgI.dll100%AviraTR/ATRAPS.Gen
jYAKmjIPgI.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.160.131.253:18659//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mtiWmtaWndm0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpC:0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php.0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpB0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpDo0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php50%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php=0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php/0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpm0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phppn0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php(0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php4n0%Avira URL Cloudsafe
http://www.rsac.org/ratingsv01.html0%Avira URL Cloudsafe
http://107.160.13I0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpnager_cw5n1h2tx0%Avira URL Cloudsafe
http://107.160.131.253:18659/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    host123.zz.am
    		unknown
    		unknownfalse
      		unknown
      blog.sina.com.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://107.160.131.254:23588/article.phprundll32.exe, rundll32.exe, 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.160.131.253:18659//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mtiWmtaWndmrundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://blog.sina.com.cn/u/5762479093icationrundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://blog.sina.com.cn/u/5762479093irundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://blog.sina.com.cn/u/5762479093i/rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://107.160.131.254:23588/article.phpBrundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.160.131.254:23588/article.phpC:rundll32.exe, 00000005.00000002.4619774696.00000000055CD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4621511995.00000000057EA000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.56.110:18530/u1129.htmlrundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://upx.sf.netAmcache.hve.LOG1.14.dr, Amcache.hve.14.drfalse
                		high
                http://blog.sina.com.cn/u/%srundll32.exe, 00000005.00000002.4913750024.0000000038F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4613450552.0000000004732000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000005.00000002.4623447419.0000000005A0D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://107.160.131.254:23588/article.php=rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.160.131.254:23588/article.phpDorundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blog.sina.com.cn/u/5762479093$rundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://107.160.131.254:23588/article.php5rundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.php/rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.php.rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.phpmrundll32.exe, 00000005.00000002.4612672971.0000000002761000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.phpnager_cw5n1h2txrundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.php(rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.254:23588/article.php4nrundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.rsac.org/ratingsv01.htmlrundll32.exe, rundll32.exe, 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.160.131.253:18659/rundll32.exe, rundll32.exe, 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://blog.sina.com.cn/u/5762479093zrundll32.exe, 00000005.00000002.4612672971.000000000270B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://blog.sina.com.cn/u/5762479093;rundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://107.160.131.254:23588/article.phppnrundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://107.160.13Irundll32.exe, 00000005.00000002.4619774696.00000000055CD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4619663807.000000000554D000.00000004.00000010.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://blog.sina.com.cn/u/5762479093Crundll32.exe, 00000005.00000002.4612672971.00000000027B4000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            202.108.0.52
                            		blogx.sina.com.cnChina
                            		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                            107.163.56.110
                            		unknownUnited States
                            		20248TAKE2UStrue
                            107.160.131.253
                            		unknownUnited States
                            		40676AS40676UStrue
                            107.160.131.254
                            		unknownUnited States
                            		40676AS40676UStrue

                            Private

                            IP
                            127.0.0.1

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1558492
                            Start date and time:2024-11-19 14:21:01 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:34
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:jYAKmjIPgI.dll
                            renamed because original name is a hash value
                            Original Sample Name:20514624060a4c8d965a20ee9a7789237081988d.dll
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winDLL@42/10@51/5
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 95%
                            • Number of executed functions: 83
                            • Number of non-executed functions: 56
                            Cookbook Comments:
                            • Found application associated with file extension: .dll
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.42.73.29
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: jYAKmjIPgI.dll

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            08:21:57API Interceptor1091667x Sleep call for process: rundll32.exe modified
                            08:22:04API Interceptor1x Sleep call for process: loaddll32.exe modified
                            08:25:45API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                            • blog.sina.com.cn/u/5655029807
                            k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                            • blog.sina.com.cn/u/5655029807
                            5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                            • blog.sina.com.cn/u/5655029807
                            107.163.56.110MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                              81mieek02V.dllGet hashmaliciousUnknownBrowse
                                Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                    abc.dllGet hashmaliciousUnknownBrowse
                                      107.160.131.25381mieek02V.dllGet hashmaliciousUnknownBrowse
                                        Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                          107.160.131.25481mieek02V.dllGet hashmaliciousUnknownBrowse
                                            Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              blogx.sina.com.cnNaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              81mieek02V.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              http://zeuso.ccGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS40676US81mieek02V.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                              • 41.216.183.30
                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                              • 45.61.137.33
                                              QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                              • 45.61.137.33
                                              QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              AS40676US81mieek02V.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                              • 41.216.183.30
                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                              • 45.61.137.33
                                              QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                              • 45.61.137.33
                                              QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              CHINA169-BJChinaUnicomBeijingProvinceNetworkCNNaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              81mieek02V.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              owari.mips.elfGet hashmaliciousUnknownBrowse
                                              • 111.193.177.206
                                              owari.x86.elfGet hashmaliciousUnknownBrowse
                                              • 60.194.199.155
                                              VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                              • 202.108.0.52
                                              TAKE2USNaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.241.193
                                              33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.241.193
                                              MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.56.110
                                              JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.43.161
                                              yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.56.240
                                              46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.43.236
                                              01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.43.235
                                              oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.56.251
                                              gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.56.240
                                              Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                              • 107.163.56.240

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\1.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):721
                                              Entropy (8bit):4.51087334116723
                                              Encrypted:false
                                              SSDEEP:12:8P9XT41oUpHKJoznML9dnx+au4RYYYYYYYYYYYYYYYYYYYYP:8P9XUDMoLML9ZEk
                                              MD5:63CEC18DEC0507F1519A077154B16137
                                              SHA1:4BE9964AEFFBC60E5788B5A1CF0361C3B8502309
                                              SHA-256:86B54E8E351406B754DF00234572B0366D2FC188A2F7C1991B4FA225645D1C6C
                                              SHA-512:934CF25DC07366DAD401B933488597FBDE8D2091F77C7EA31C779175B343E3E32BB188A5F8BBCA6D889672BAF5AF51FBAFB8D0158C78A7BBE858D61AC835F5C3
                                              Malicious:false
                                              Preview:..2024-11-21 12:37..iOffset....2024-11-22 08:49..iOffset....2024-11-24 01:25..iOffset....2024-11-25 20:11..iOffset....2024-11-26 17:39..iOffset....2024-11-27 17:02..iOffset....2024-11-28 17:25..iOffset....2024-11-29 19:03..iOffset....2024-12-01 03:02..iOffset....2024-12-04 12:38..iOffset....2024-12-07 01:41..iOffset....2024-12-15 01:36..iOffset....2024-12-26 02:34..iOffset....2032-01-16 15:04..iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset......&.iOffset..

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_fcc05460-6e37-4498-b020-1835b2b16b6f\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9510369539506643
                                              Encrypted:false
                                              SSDEEP:192:CuYihOC30BU/wjeTq1W6ZYzuiFfZ24IO8dci:7Yi4CEBU/wjek7YzuiFfY4IO8dci
                                              MD5:41CD8994593D6A3FC9A62506011C08EF
                                              SHA1:869414D0C7F233B73D41567D220826201F1493F1
                                              SHA-256:0DBE44774448A1903E0F164A1740AF752FB5EAD0F7BEA7F2AA3A5C294D4F0E75
                                              SHA-512:F010D87239E461825FE0778CD87D64D236C6F8686581DE08A68C9D5723E9296AC3140DA2D55E1F8A220A29D90E60D7F009273ADE2C07842E17B3674CC951D867
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.1.2.2.0.1.2.8.6.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.1.2.2.5.7.5.3.6.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.c.0.5.4.6.0.-.6.e.3.7.-.4.4.9.8.-.b.0.2.0.-.1.8.3.5.b.2.b.1.6.b.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.d.a.7.2.f.b.-.f.e.b.6.-.4.1.2.3.-.a.4.d.2.-.2.6.7.4.e.a.6.6.2.c.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.e.4.-.0.0.0.1.-.0.0.1.5.-.c.6.7.c.-.a.c.0.4.8.6.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERADE4.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:22:02 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):45608
                                              Entropy (8bit):2.0081242419029386
                                              Encrypted:false
                                              SSDEEP:192:ZUVbTnwZsXsX8hO5H44o1sCDBHpgAib/zLvK3V1T:CVAZkU5HtROV7ib/zLI1T
                                              MD5:4B7624595DEC01954E941BC950A5D093
                                              SHA1:36978588FD5E58052EB09EE5E18E0F82DBA41066
                                              SHA-256:9EF118B6AFA215210A29E07A5669DF8DC7CC8868301A58A82E5B4D079EB3EAEE
                                              SHA-512:6DBC8B4A4D8F8CB7C2CBA7C2AE0E309B7ADF3B2A0CCC02C2C6410E0F87A7C3DFE2B2A24F62F14B3FCD819ABCDC754537708CDD639CC35A72E41E6D6419FF4663
                                              Malicious:false
                                              Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T...............`...........L...........8...............................................................................eJ..............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEFF.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8272
                                              Entropy (8bit):3.6907972751148814
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJxs6rhz6YkrK6hgmfTZeprO89bGpsfKim:R6lXJq6rV6YV6hgmfTZsGCf2
                                              MD5:71A23CB2C33E1B29F8BFB7F8F153F168
                                              SHA1:7A64AD4A75F174329FD5D58AEA77A35FB1BC9445
                                              SHA-256:D23FC3912FA695183F23AAB7190F6C793338536948D8169BCBAC8367717A5ECA
                                              SHA-512:434803CCAB9B38E123BA20880F4F864B4859D53A2E16F2A40B9F7CA1DE5FE7DED372BD7C423251754431737FEEA6A2BBF810ED753834AAAF63CC3F8E90F99C91
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.6.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF4E.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4654
                                              Entropy (8bit):4.456557109178754
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsHJg77aI9vEWpW8VYVYm8M4JCdPSFE+q8/ARhGScSgd:uIjfpI7Jd7VNJcZhJ3gd
                                              MD5:EE5CD9E6C92372238C749E610AF58C74
                                              SHA1:5CFC11E5D9B8F6AC551D066FC62454E0B1D5F79B
                                              SHA-256:C9BF5C92F20DA9B79EC11F6530CB674BF9C4FC4C94341915D770C150F4D4C2E5
                                              SHA-512:F50BD4791B666C916E097683636B7B9CEAF963CA1E8DB7564C4A7C3F07D674C987150C31A4100A28885D3A73C4B246BBF96E980C912CF02175A77CD58FC199EA
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB33.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:22:05 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):46602
                                              Entropy (8bit):1.9773413880010302
                                              Encrypted:false
                                              SSDEEP:192:KLuTPmZ9IXsXlCqO5H4YO5nJYtUAU1/XKa5228XP/pX:05Z9S5Hdwir4/XKKWPxX
                                              MD5:CA71759ADF2F63508EF19A696947C556
                                              SHA1:57B2B4A285E096C28B840F82923C76F8BF7151E4
                                              SHA-256:E59C537109E76012CB2D0FA288713B4DA18F2F384583E7911A7B940887E6E455
                                              SHA-512:FEA65EF2BFD8FB6E31C7D127BD54A479D725713D784BA37A959C3255778AE965A4D2B6FDCD609778501FE3AE40F5D35637D1EBEDBCD64303DE910A230E1DBA46
                                              Malicious:false
                                              Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T...............j...........L...........8...............................................................................eJ..............GenuineIntel............T.......8.....<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC2E.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8266
                                              Entropy (8bit):3.688541871630942
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJKo6P6YkTQl6agmfTZeprO89b5vsfGzm:R6lXJ96P6YFl6agmfTZs5UfT
                                              MD5:546C2F6B02C6AE36C14F9039DDF56375
                                              SHA1:14E04280828182B0244EE31686FAAD2A87B0F79B
                                              SHA-256:2C5CB3E873B70A73587683C823F39F0A5A3FD733E8FA100631D1C6E348A78AC6
                                              SHA-512:8A14ED35C3ED68C137C4EC71E9C232D43CD2FA3884904DF924F3976C9DA707DAEBA67411540777D06E74464646B5D9DBB04B9CB953235662E9AAB4D0025C7316
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5E.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4654
                                              Entropy (8bit):4.4594561375554855
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsHJg77aI9vEWpW8VYA9Ym8M4JCdPSFf2+q8/ANnGScS1d:uIjfpI7Jd7VJcJH2lnJ31d
                                              MD5:5D876CFB32E020A5A27F9D34EA74D27A
                                              SHA1:35638157602FE77926779367B31ECC3DB088431D
                                              SHA-256:E6C072B8B4963FF12F9C5316C999439E1676048F2089D0112486683F92A8AA5E
                                              SHA-512:3C5C60FAA9F9B86D2AC9990CDB6C4BED1F06D14C5C105D2A154629D4518A2118453E122D48197F80BF652D7ED55A658537901DCC279448B597029A31E276171F
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.469381284289462
                                              Encrypted:false
                                              SSDEEP:6144:tzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:lZHtYZWOKnMM6bFpHj4
                                              MD5:A6786AC4E4870064416DD6DB830B32F4
                                              SHA1:84EEE169853CF270C266A2B55E6CA5B3CE51F495
                                              SHA-256:3843611F7F16350D47B131441DDFEA53526DC53771EBDA8F0F4385534347B9EF
                                              SHA-512:4B7953761D20CCB04C247A71290100E610F844DA2D2020C0E946931CDD0F5988AFAE40FD48E56A4268E0173C79AF09092CD3FF94C70B988C67FB41238C9CA484
                                              Malicious:false
                                              Preview:regfH...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....:..............................................................................................................................................................................................................................................................................................................................................9..0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1769472
                                              Entropy (8bit):4.576763077979351
                                              Encrypted:false
                                              SSDEEP:6144:HzZfpi6ceLPx9skLmb0fYZWSPDaJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:TZHtYZWSKnMM6bFpHj4
                                              MD5:F3E33B028AF0D2E0CDF5AEA3A6773A09
                                              SHA1:EFF4713110755BA8E93507E9B891018D9FAB1C65
                                              SHA-256:527364C8396265DB1BDAB94657F7A926058DF278D8B3DBDF56838C8E14DC3D8D
                                              SHA-512:B652AE98212BDAB559C26CB96938554521498E5DA9FD6C545A42D30C1BA7F2539AE85DCEBCE6C93448E94516E33236ED6BEAD20DEB84B3014E7D776258977C5E
                                              Malicious:false
                                              Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....:..............................................................................................................................................................................................................................................................................................................................................0..0HvLE........G..........."}....s=..'.^U......0...@......hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........]...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

                                              Static File Info

                                              General

                                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                              Entropy (8bit):7.960873131985103
                                              TrID:
                                              • Win32 Dynamic Link Library (generic) (1002004/3) 90.54%
                                              • Win32 EXE PECompact compressed (v2.x) (59071/9) 5.34%
                                              • Win32 EXE PECompact compressed (generic) (41571/9) 3.76%
                                              • Generic Win/DOS Executable (2004/3) 0.18%
                                              • DOS Executable Generic (2002/1) 0.18%
                                              File name:jYAKmjIPgI.dll
                                              File size:175'345 bytes
                                              MD5:53bd35fc7c146ce64dae892fb6bf5fbb
                                              SHA1:20514624060a4c8d965a20ee9a7789237081988d
                                              SHA256:dfb1117e6d202d6d5bdd30b67516a1589b4f8f636d42509aca46efaa51bd9b7c
                                              SHA512:80dad6e31ceb9a979c854af42c0d718a6f37668775809480c1800fe10dc9852ad4a0d9a1b9bb938c4ecb94d358bf4d194e6c0de06901b436d6c458cc2cbbe0bf
                                              SSDEEP:3072:R2Iz9CI8mUOtDDPwLkBLXLDFkKmvzXBpLHYmmO1QezRd7UcPa1xMjM7d:Rjz9X8mXGUXVPmr9mOzRd7UcPKoM5
                                              TLSH:7F0412B0F3F98B59F0A716B70831597CC97638826329277FC2885A6EAC5442FF18D764
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                              File Icon

                                              Icon Hash:7ae282899bbab082

                                              Static PE Info

                                              General

                                              Entrypoint:0x1004fe9b
                                              Entrypoint Section:.rsrc
                                              Digitally signed:false
                                              Imagebase:0x10000000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                              DLL Characteristics:
                                              Time Stamp:0x565C7C9C [Mon Nov 30 16:43:08 2015 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:bb6e4ad1ce3cf53a77a13b1c6fafb901

                                              Entrypoint Preview

                                              Instruction
                                              mov eax, 10050CB4h
                                              push eax
                                              push dword ptr fs:[00000000h]
                                              mov dword ptr fs:[00000000h], esp
                                              xor eax, eax
                                              mov dword ptr [eax], ecx
                                              push eax
                                              inc ebp
                                              inc ebx
                                              outsd
                                              insd
                                              jo 00007FB431182493h
                                              arpl word ptr [edx+esi+00h], si
                                              add byte ptr [eax], al
                                              or byte ptr [eax+eax], cl
                                              dec eax
                                              loope 00007FB431182433h
                                              push esi
                                              push edi
                                              push ebx
                                              push ebp
                                              mov ebx, dword ptr [esp+1Ch]
                                              test ebx, ebx
                                              je 00007FB3EF0045E1h
                                              push cs
                                              out 60h, al
                                              or eax, 72656B0Bh
                                              outsb
                                              insb
                                              xor esi, dword ptr [edx]
                                              adc al, 44h
                                              push es
                                              mov eax, C08513FFh
                                              cmp byte ptr [edi+0CE8F08Bh], cl
                                              xor eax, dword ptr [esi+6900ECE3h]
                                              jc 00007FB4311824A6h
                                              jne 00007FB431182493h
                                              insb
                                              inc esi
                                              sbb bh, bh
                                              push ebx
                                              add al, 3Eh
                                              mov dword ptr [8BFFC4D0h], eax
                                              call 00007FB3D4593FA7h
                                              xor eax, dword ptr [edi+636F6E15h]
                                              sbb al, 58h
                                              mov esp, dword ptr [esp+edx]
                                              jl 00007FB4311823C1h
                                              sar ecx, FFFFFFA1h
                                              sbb byte ptr [edx+68h], ch
                                              adc byte ptr [eax-01h], cl
                                              pushad
                                              clc
                                              cmp dword ptr [ecx], 3F33D008h
                                              mov ebx, eax
                                              push eax
                                              push esp
                                              jbe 00007FB431182436h
                                              push edi
                                              or byte ptr [eax], cl
                                              lea eax, dword ptr [esi+0Fh]
                                              inc edx
                                              aad C9h
                                              stc
                                              mov dh, 0Ch
                                              add eax, FF0C300Dh
                                              adc dword ptr [esi], ecx
                                              push eax
                                              push ebx
                                              call 00007FB3F59BCD58h
                                              sub byte ptr [edx+58h], bl
                                              je 00007FB431182435h
                                              int3
                                              adc dword ptr [edx], esi
                                              jne 00007FB431182465h
                                              dec eax
                                              push eax
                                              add byte ptr [eax+53h], FFFFFFD5h
                                              pop eax
                                              push eax
                                              add byte ptr [edx], cl
                                              push eax

                                              Rich Headers

                                              Programming Language:
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ C ] VS98 (6.0) build 8168
                                              • [C++] VS98 (6.0) build 8168
                                              • [RES] VS98 (6.0) cvtres build 1720
                                              • [LNK] VS98 (6.0) imp/exp build 8168

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x4fb240x68.rsrc
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4fc140x2eb.rsrc
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000xb10.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x510000x18.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x4e0000x28800616e4770cbaa1701277e430d81cefbf7False0.9978238329475309data7.997797944306588IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x4f0000x20000x1e004178e173c28267cb5211773428c4940eFalse0.6875data6.368056297656816IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .reloc0x510000x10000x200aa11e7584102ed6962d8c933636a8badFalse0.0625data0.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_STRING0x4b0000x16cemptyEnglishUnited States0
                                              RT_STRING0x4b1700x86emptyEnglishUnited States0
                                              RT_STRING0x4b1f80x56emptyEnglishUnited States0
                                              RT_STRING0x4b2500x16eemptyEnglishUnited States0
                                              RT_STRING0x4b3c00x128emptyEnglishUnited States0
                                              RT_STRING0x4b4e80xd2emptyEnglishUnited States0
                                              RT_STRING0x4b5c00x6aemptyEnglishUnited States0
                                              RT_STRING0x4b6300xc8emptyEnglishUnited States0
                                              RT_STRING0x4b6f80x200emptyEnglishUnited States0
                                              RT_STRING0x4b8f80x23eemptyEnglishUnited States0
                                              RT_STRING0x4bb380x12eemptyEnglishUnited States0
                                              RT_STRING0x4bc680xcaemptyEnglishUnited States0
                                              RT_STRING0x4bd380x252emptyEnglishUnited States0
                                              RT_STRING0x4bf900x28eemptyEnglishUnited States0
                                              RT_STRING0x4c2200xceemptyEnglishUnited States0
                                              RT_STRING0x4c2f00x15cemptyEnglishUnited States0
                                              RT_STRING0x4c4500x398emptyEnglishUnited States0
                                              RT_STRING0x4c7e80x2aeemptyEnglishUnited States0
                                              RT_STRING0x4ca980x42emptyEnglishUnited States0
                                              RT_STRING0x4cae00x20emptyEnglishUnited States0
                                              RT_STRING0x4cb000x20emptyEnglishUnited States0
                                              RT_STRING0x4cb200x20emptyEnglishUnited States0
                                              RT_STRING0x4cb400x20emptyEnglishUnited States0
                                              RT_STRING0x4cb600x20emptyEnglishUnited States0
                                              RT_STRING0x4cb800x20emptyEnglishUnited States0
                                              RT_STRING0x4cba00x20emptyEnglishUnited States0
                                              RT_STRING0x4cbc00x20emptyEnglishUnited States0
                                              RT_STRING0x4cbe00x7aemptyEnglishUnited States0
                                              RT_STRING0x4cc600x20emptyEnglishUnited States0
                                              RT_STRING0x4cc800x20emptyEnglishUnited States0
                                              RT_STRING0x4cca00x13aemptyEnglishUnited States0
                                              RT_STRING0x4cde00x19aemptyEnglishUnited States0
                                              RT_STRING0x4cf800x9aemptyEnglishUnited States0
                                              RT_STRING0x4d0200xa8emptyEnglishUnited States0
                                              RT_STRING0x4d0c80x20emptyEnglishUnited States0
                                              RT_VERSION0x4f7f00x31cdataEnglishUnited States0.4296482412060301
                                              RT_HTML0x4d0e80x49emptyEnglishUnited States0
                                              RT_HTML0x4d1380xdemptyEnglishUnited States0
                                              RT_HTML0x4d1480x6beemptyEnglishUnited States0

                                              Imports

                                              DLLImport
                                              kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
                                              MFC42.DLL
                                              MSVCRT.dll_strcmpi
                                              USER32.dllGetDesktopWindow
                                              ADVAPI32.dllRegDeleteValueA
                                              WS2_32.dllhtons
                                              SHLWAPI.dllPathIsDirectoryA
                                              ole32.dllCoUninitialize
                                              OLEAUT32.dllSafeArrayGetVartype
                                              MSVCP60.dll?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
                                              NETAPI32.dllNetbios

                                              Exports

                                              NameOrdinalAddress
                                              DoAddToFavDlg10x10008645
                                              InputFile20x1000678b
                                              PrintFile30x1000443d

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2024 14:22:00.271691084 CET4970518659192.168.2.6107.160.131.253
                                              Nov 19, 2024 14:22:00.271703959 CET4970418530192.168.2.6107.163.56.110
                                              Nov 19, 2024 14:22:01.282921076 CET4970418530192.168.2.6107.163.56.110
                                              Nov 19, 2024 14:22:01.284939051 CET4970518659192.168.2.6107.160.131.253
                                              Nov 19, 2024 14:22:03.282877922 CET4970418530192.168.2.6107.163.56.110
                                              Nov 19, 2024 14:22:03.282967091 CET4970518659192.168.2.6107.160.131.253
                                              Nov 19, 2024 14:22:07.298533916 CET4970418530192.168.2.6107.163.56.110
                                              Nov 19, 2024 14:22:07.298583984 CET4970518659192.168.2.6107.160.131.253
                                              Nov 19, 2024 14:22:15.298580885 CET4970418530192.168.2.6107.163.56.110
                                              Nov 19, 2024 14:22:15.298582077 CET4970518659192.168.2.6107.160.131.253
                                              Nov 19, 2024 14:22:25.338327885 CET4973723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:25.338686943 CET4973823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:26.342812061 CET4973823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:26.345424891 CET4973723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:28.345477104 CET4973823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:28.345599890 CET4973723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:29.010925055 CET4976280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:29.331674099 CET4976623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:29.444307089 CET4976823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:29.445022106 CET4976980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:30.345473051 CET4976623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:30.454823017 CET4976823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:30.454827070 CET4976980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:32.361144066 CET4976623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:32.454860926 CET4976823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:32.454864025 CET4976980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:33.346560001 CET4979523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:33.460800886 CET4979723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:33.461750031 CET4979880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:34.361119986 CET4979523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:34.470470905 CET4979723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:34.470516920 CET4979880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:36.361108065 CET4979523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:36.470499039 CET4979880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:36.470501900 CET4979723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:37.377816916 CET4982523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:37.473603010 CET4982780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:37.488250971 CET4982823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:38.564230919 CET4982523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:38.564248085 CET4982823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:38.564254045 CET4982780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:40.564299107 CET4982523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:40.566498041 CET4982780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:40.566499949 CET4982823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:41.393841028 CET4986723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:41.509130955 CET4986823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:41.510525942 CET4986980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:42.408014059 CET4986723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:42.517386913 CET4986823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:42.517599106 CET4986980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:44.423691988 CET4986723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:44.517476082 CET4986823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:44.517477989 CET4986980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:45.534035921 CET4989623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:45.647869110 CET4989923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:45.648993015 CET4990080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:46.548688889 CET4989623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:46.642424107 CET4989923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:46.661799908 CET4990080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:48.564301014 CET4989623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:48.642425060 CET4989923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:48.658015966 CET4990080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:49.533845901 CET4992823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:49.646179914 CET4993080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:49.646423101 CET4993123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:50.548677921 CET4992823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:50.658046007 CET4993080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:50.662496090 CET4993123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:52.548746109 CET4992823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:52.658072948 CET4993080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:52.673675060 CET4993123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:53.549458027 CET4996123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:53.664249897 CET4996323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:53.665543079 CET4996480192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:54.548710108 CET4996123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:54.673815012 CET4996323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:54.673857927 CET4996480192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:56.548727989 CET4996123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:56.673687935 CET4996323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:56.673762083 CET4996480192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:57.549802065 CET4999423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:57.676995993 CET4999623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:57.677544117 CET4999780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:58.564434052 CET4999423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:22:58.673753977 CET4999780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:22:58.689323902 CET4999623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:00.564435959 CET4999423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:00.673717976 CET4999780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:00.689333916 CET4999623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:01.565234900 CET5003323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:01.678303957 CET5003423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:01.680578947 CET5003580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:02.564311981 CET5003323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:02.673695087 CET5003580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:02.673702002 CET5003423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:04.564316034 CET5003323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:04.673784971 CET5003423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:04.689515114 CET5003580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:05.581825972 CET5006423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:05.699805021 CET5006623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:05.703109026 CET5006780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:06.689343929 CET5006780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:06.751822948 CET5006423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:06.751883030 CET5006623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:08.704997063 CET5006780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:08.751874924 CET5006423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:08.751874924 CET5006623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:09.596576929 CET5009723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:09.712325096 CET5009923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:09.713217020 CET5010080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:10.752674103 CET5009723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:10.752696037 CET5010080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:10.752710104 CET5009923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:12.954981089 CET5009723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:12.954996109 CET5010080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:12.955024004 CET5009923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:13.596856117 CET5013723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:13.717052937 CET5013923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:13.718554974 CET5014080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:14.611238003 CET5013723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:14.720617056 CET5013923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:14.720632076 CET5014080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:16.620980024 CET5013723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:16.736268044 CET5013923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:16.738056898 CET5014080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:17.613008976 CET5018323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:17.725452900 CET5018523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:17.726562977 CET5018680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:18.626909018 CET5018323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:18.736254930 CET5018680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:18.751966000 CET5018523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:20.626873016 CET5018323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:20.751987934 CET5018523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:20.752058983 CET5018680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:21.612839937 CET5023923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:21.726469040 CET5024223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:21.727368116 CET5024380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:22.736298084 CET5024223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:22.751986027 CET5023923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:22.752533913 CET5024380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:24.751921892 CET5024223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:24.751945972 CET5024380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:24.751969099 CET5023923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:25.623718023 CET5030323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:25.745513916 CET5030623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:25.746120930 CET5030780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:26.642529011 CET5030323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:26.751900911 CET5030780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:26.751941919 CET5030623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:28.751940012 CET5030780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:28.751960039 CET5030323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:28.752090931 CET5030623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:29.628000975 CET5036823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:29.747411966 CET5037223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:30.417989016 CET5038680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:30.751935005 CET5036823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:30.751931906 CET5037223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:31.439449072 CET5038680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:32.751913071 CET5037223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:32.751914024 CET5036823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:33.455074072 CET5038680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:33.643383026 CET5045223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:33.760314941 CET5045723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:33.760996103 CET5045880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:34.751914978 CET5045223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:34.751928091 CET5045723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:34.767566919 CET5045880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:36.751913071 CET5045223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:36.751920938 CET5045723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:36.767548084 CET5045880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:37.644336939 CET5057023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:37.758264065 CET5057423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:37.761576891 CET5057580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:38.751961946 CET5057023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:38.767560005 CET5057423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:38.955060959 CET5057580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:40.751959085 CET5057023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:40.783204079 CET5057423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:41.048903942 CET5057580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:41.659982920 CET5071023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:41.775249958 CET5071523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:41.776530027 CET5071680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:42.752070904 CET5071023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:42.955066919 CET5071523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:42.955193043 CET5071680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:44.752033949 CET5071023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:44.955133915 CET5071523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:44.955163956 CET5071680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:45.676707983 CET5092423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:45.792959929 CET5093223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:45.793226957 CET5093380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:46.751980066 CET5092423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:46.798841953 CET5093380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:46.955080032 CET5093223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:48.751964092 CET5092423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:48.830081940 CET5093380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:48.955096960 CET5093223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:49.752589941 CET5113223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:50.070348024 CET5113980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:50.072643995 CET5114023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:50.955104113 CET5113223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:51.127028942 CET5114023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:51.127052069 CET5113980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:53.048850060 CET5113223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:53.268089056 CET5113980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:53.268230915 CET5114023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:53.754472971 CET5132623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:53.868702888 CET5133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:53.870743990 CET5133580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:54.753091097 CET5132623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:54.955099106 CET5133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:54.977552891 CET5133580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:56.753300905 CET5132623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:57.048865080 CET5133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:57.126988888 CET5133580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:57.768601894 CET5153423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:57.887590885 CET5154380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:57.887744904 CET5154423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:58.830218077 CET5153423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:23:58.955122948 CET5154380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:23:58.955179930 CET5154423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:00.830121040 CET5153423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:00.955116034 CET5154380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:00.955133915 CET5154423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:01.768762112 CET5219923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:01.888813972 CET5225923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:01.889355898 CET5226080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:02.939511061 CET5219923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:02.939529896 CET5225923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:02.939847946 CET5226080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:04.955121994 CET5219923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:04.955132961 CET5225923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:04.955290079 CET5226080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:05.784176111 CET5487623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:05.900635004 CET5496023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:05.901400089 CET5496180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:06.939538002 CET5487623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:06.940555096 CET5496180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:07.033261061 CET5496023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:08.955169916 CET5487623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:08.955204010 CET5496180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:09.127043962 CET5496023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:09.784322977 CET5694123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:09.900692940 CET5704580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:09.900897980 CET5704623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:10.830154896 CET5694123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:10.955143929 CET5704623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:11.017688990 CET5704580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:12.830231905 CET5694123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:12.955171108 CET5704623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:13.017729998 CET5704580192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:13.807328939 CET5922923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:13.913522005 CET5926323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:13.931407928 CET5927680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:14.830163956 CET5922923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:14.955167055 CET5926323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:15.017664909 CET5927680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:16.890136957 CET5922923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:16.955159903 CET5926323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:17.127036095 CET5927680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:17.819529057 CET6157823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:17.930867910 CET6169223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:17.932169914 CET6169380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:18.944247007 CET6169380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:18.955183029 CET6157823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:18.955435038 CET6169223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:20.955210924 CET6157823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:20.955769062 CET6169223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:21.093554974 CET6169380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:21.833041906 CET6456423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:21.955671072 CET6458780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:21.955905914 CET6458823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:22.955236912 CET6456423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:23.017700911 CET6458780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:23.017815113 CET6458823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:24.955192089 CET6456423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:25.127075911 CET6458780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:25.127098083 CET6458823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:25.847064972 CET5081723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:25.966521025 CET5088080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:25.966521025 CET5087923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:26.985555887 CET5081723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:26.985699892 CET5087923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:27.048954010 CET5088080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:29.048978090 CET5088080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:29.127090931 CET5081723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:29.127109051 CET5087923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:29.862610102 CET5279523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:29.976965904 CET5290123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:29.990202904 CET5291280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:30.955228090 CET5279523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:31.142719984 CET5290123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:31.142731905 CET5291280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:32.955233097 CET5279523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:33.142750025 CET5290123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:33.142824888 CET5291280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:33.863687038 CET5525723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:33.978358030 CET5536123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:33.979093075 CET5536280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:34.924004078 CET5525723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:35.049108028 CET5536280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:35.127110958 CET5536123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:37.017740011 CET5525723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:37.049222946 CET5536280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:37.130887985 CET5536123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:37.878000021 CET5829923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:37.995687008 CET5837223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:37.996412039 CET5837380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:38.939616919 CET5829923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:39.017771959 CET5837380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:39.049129009 CET5837223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:40.955251932 CET5829923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:41.033468008 CET5837380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:41.142808914 CET5837223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:41.895945072 CET6124423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:42.011346102 CET6133380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:42.011774063 CET6133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:42.955249071 CET6124423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:43.033415079 CET6133380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:43.142761946 CET6133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:44.955353022 CET6124423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:45.127255917 CET6133380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:45.146933079 CET6133423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:46.010238886 CET6426523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:46.012752056 CET6426780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:46.015374899 CET6426923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:47.017779112 CET6426523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:47.017800093 CET6426780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:47.049012899 CET6426923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:49.049025059 CET6426923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:49.127173901 CET6426523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:49.127217054 CET6426780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:50.025021076 CET5091823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:50.136173010 CET5096623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:50.465588093 CET5112680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:51.142822981 CET5091823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:51.142927885 CET5096623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:51.642776012 CET5112680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:53.142786026 CET5091823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:53.142873049 CET5096623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:53.752216101 CET5112680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:54.036617994 CET5315323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:54.153368950 CET5320823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:54.155138016 CET5320980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:55.127223015 CET5315323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:55.142795086 CET5320980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:55.330281019 CET5320823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:57.127171040 CET5315323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:57.252166986 CET5320980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:57.424050093 CET5320823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:58.050702095 CET5606923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:58.168056011 CET5614723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:58.169919014 CET5614880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:24:59.142795086 CET5606923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:59.330344915 CET5614723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:24:59.330543041 CET5614880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:01.142802000 CET5606923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:01.330296993 CET5614723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:01.330534935 CET5614880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:02.137268066 CET5904623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:02.612196922 CET5905023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:02.612273932 CET5904980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:03.142832041 CET5904623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:03.625708103 CET5905023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:03.642997980 CET5904980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:05.142941952 CET5904623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:05.627187014 CET5905023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:05.642827034 CET5904980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:06.144350052 CET6117023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:06.261217117 CET6126623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:06.263920069 CET6126780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:07.142848015 CET6117023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:07.327827930 CET6126780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:07.455355883 CET6126623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:09.142859936 CET6117023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:09.330516100 CET6126780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:09.549993038 CET6126623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:10.159706116 CET6402823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:10.278189898 CET6408823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:10.279071093 CET6408980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:11.330355883 CET6402823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:11.330395937 CET6408980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:11.455334902 CET6408823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:13.330338001 CET6402823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:13.330502033 CET6408980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:13.549101114 CET6408823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:14.161003113 CET5034023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:14.334661007 CET5035123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:14.339044094 CET5035280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:15.252217054 CET5034023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:15.424101114 CET5035123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:15.424125910 CET5035280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:17.252243996 CET5034023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:17.500458002 CET5035123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:17.500509024 CET5035280192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:18.176075935 CET5284423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:18.291529894 CET5290780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:18.295078993 CET5290923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:19.252235889 CET5284423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:19.330370903 CET5290780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:19.455351114 CET5290923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:21.252240896 CET5284423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:21.424124956 CET5290780192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:21.455374956 CET5290923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:22.190634012 CET5555923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:22.306785107 CET5562923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:22.309046030 CET5563180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:23.252265930 CET5555923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:23.455348015 CET5562923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:23.455384016 CET5563180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:25.252268076 CET5555923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:25.455368042 CET5562923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:25.455513954 CET5563180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:26.210625887 CET5815323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:26.321861982 CET5823080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:26.322007895 CET5823123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:27.330379963 CET5815323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:27.330379963 CET5823080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:27.455378056 CET5823123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:29.330379009 CET5815323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:29.330598116 CET5823080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:29.455384016 CET5823123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:30.226573944 CET6105023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:30.336529970 CET6108723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:30.338579893 CET6108880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:31.270049095 CET6105023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:31.424143076 CET6108723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:31.439764977 CET6108880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:33.292833090 CET6105023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:33.424226046 CET6108723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:33.455399036 CET6108880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:34.237998009 CET6393623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:34.362921000 CET6401223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:34.371332884 CET6401380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:35.330408096 CET6393623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:35.439804077 CET6401380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:35.517899036 CET6401223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:37.330400944 CET6393623588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:37.455403090 CET6401380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:37.517956972 CET6401223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:38.253536940 CET4989223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:38.367896080 CET4995923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:38.372189045 CET4996080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:39.252468109 CET4989223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:39.455444098 CET4996080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:39.455481052 CET4995923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:41.252289057 CET4989223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:41.455430984 CET4995923588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:41.455547094 CET4996080192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:42.268932104 CET5264323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:42.384074926 CET5273023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:42.385744095 CET5273180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:43.330429077 CET5264323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:43.455416918 CET5273023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:43.482223988 CET5273180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:45.419802904 CET5264323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:45.549230099 CET5273023588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:45.627286911 CET5273180192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:46.269977093 CET5519223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:46.385157108 CET5525123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:46.388365984 CET5525380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:47.450608969 CET5525123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:47.455437899 CET5519223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:47.455502987 CET5525380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:49.549210072 CET5519223588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:49.549226999 CET5525380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:49.571118116 CET5525123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:50.284966946 CET5784323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:50.403177977 CET5795423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:50.890243053 CET5839880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:51.455427885 CET5784323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:51.455462933 CET5795423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:51.940009117 CET5839880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:53.455431938 CET5784323588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:53.455440044 CET5795423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:53.955523968 CET5839880192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:54.300892115 CET6066823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:54.415919065 CET6073380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:54.417366982 CET6073423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:55.330467939 CET6066823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:55.455452919 CET6073423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:55.518126011 CET6073380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:57.424206018 CET6066823588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:57.455462933 CET6073423588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:57.612684011 CET6073380192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:58.301018000 CET6320123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:58.415318012 CET6322723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:58.418076992 CET6322980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:59.424252033 CET6322980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:25:59.443845987 CET6320123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:25:59.443953991 CET6322723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:01.424257994 CET6322980192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:26:01.549225092 CET6320123588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:01.549362898 CET6322723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:02.316668987 CET6451723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:02.442277908 CET6460523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:02.445310116 CET6460680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:26:03.455610037 CET6460523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:03.455607891 CET6451723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:03.462665081 CET6460680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:26:05.455475092 CET6451723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:05.455523014 CET6460523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:05.471098900 CET6460680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:26:09.455481052 CET6451723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:09.455487967 CET6460523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:09.486762047 CET6460680192.168.2.6202.108.0.52
                                              Nov 19, 2024 14:26:17.455511093 CET6451723588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:17.455609083 CET6460523588192.168.2.6107.160.131.254
                                              Nov 19, 2024 14:26:17.502384901 CET6460680192.168.2.6202.108.0.52

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2024 14:22:22.323636055 CET5727653192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:22.834990025 CET53572761.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:26.551353931 CET5788853192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:27.212347984 CET53578881.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:28.466504097 CET5620753192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:29.008649111 CET53562071.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:31.488101959 CET5491553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:31.989084959 CET53549151.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:36.565989017 CET5344253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:37.280649900 CET53534421.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:41.487689018 CET6124253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:41.992718935 CET53612421.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:46.519336939 CET6455153192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:47.037642956 CET53645511.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:51.519010067 CET5070253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:52.035088062 CET53507021.1.1.1192.168.2.6
                                              Nov 19, 2024 14:22:56.502860069 CET5106453192.168.2.61.1.1.1
                                              Nov 19, 2024 14:22:57.037497997 CET53510641.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:01.580946922 CET5932553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:02.106961966 CET53593251.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:06.528724909 CET5155953192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:06.805108070 CET53515591.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:11.731105089 CET6258053192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:11.739645004 CET53625801.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:16.518600941 CET6524453192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:16.528870106 CET53652441.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:21.519117117 CET5699853192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:21.527936935 CET53569981.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:26.500370026 CET5534053192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:27.016908884 CET53553401.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:29.747972965 CET5963353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:30.405493021 CET53596331.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:31.518316031 CET5949253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:31.526123047 CET53594921.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:36.487960100 CET5369353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:36.497149944 CET53536931.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:41.488374949 CET5377253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:41.496196032 CET53537721.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:46.472109079 CET5951553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:46.479165077 CET53595151.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:51.471880913 CET5637553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:51.479136944 CET53563751.1.1.1192.168.2.6
                                              Nov 19, 2024 14:23:56.473994970 CET5031853192.168.2.61.1.1.1
                                              Nov 19, 2024 14:23:56.980321884 CET53503181.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:01.472819090 CET6244753192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:01.480438948 CET53624471.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:06.471081018 CET5089353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:06.478311062 CET53508931.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:11.485074043 CET5079653192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:11.492769957 CET53507961.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:16.471472025 CET5855253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:16.998323917 CET53585521.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:21.472372055 CET5587053192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:21.479693890 CET53558701.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:26.472356081 CET5143253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:27.471332073 CET5143253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:27.518572092 CET53514321.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:27.518594980 CET53514321.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:29.978027105 CET5886753192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:29.986151934 CET53588671.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:31.474014044 CET5000753192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:31.481399059 CET53500071.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:36.471326113 CET5706253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:36.478465080 CET53570621.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:41.471373081 CET5938353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:41.478900909 CET53593831.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:46.479295969 CET5250253192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:46.486644983 CET53525021.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:50.138089895 CET6213353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:50.464437008 CET53621331.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:51.472042084 CET5602053192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:51.479964018 CET53560201.1.1.1192.168.2.6
                                              Nov 19, 2024 14:24:56.498157024 CET5883953192.168.2.61.1.1.1
                                              Nov 19, 2024 14:24:56.505747080 CET53588391.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:01.472426891 CET5593353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:01.480160952 CET53559331.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:06.480846882 CET5161153192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:06.488658905 CET53516111.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:11.471900940 CET6540853192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:11.480587959 CET53654081.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:16.472244978 CET5707553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:16.479940891 CET53570751.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:21.553386927 CET5152353192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:21.560992956 CET53515231.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:26.471424103 CET6224553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:26.478992939 CET53622451.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:31.471349955 CET5009553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:31.481870890 CET53500951.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:36.472717047 CET6387553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:36.480129957 CET53638751.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:41.471973896 CET5493653192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:41.479402065 CET53549361.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:46.479284048 CET5256453192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:46.486527920 CET53525641.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:50.403666019 CET5600553192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:50.888892889 CET53560051.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:51.473115921 CET6102653192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:51.483251095 CET53610261.1.1.1192.168.2.6
                                              Nov 19, 2024 14:25:56.472354889 CET5330753192.168.2.61.1.1.1
                                              Nov 19, 2024 14:25:56.481342077 CET53533071.1.1.1192.168.2.6
                                              Nov 19, 2024 14:26:01.481699944 CET5370853192.168.2.61.1.1.1
                                              Nov 19, 2024 14:26:01.488898993 CET53537081.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Nov 19, 2024 14:22:22.323636055 CET192.168.2.61.1.1.10x58e9Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:26.551353931 CET192.168.2.61.1.1.10x8c9aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:28.466504097 CET192.168.2.61.1.1.10xcaf8Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:31.488101959 CET192.168.2.61.1.1.10x9ef2Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:36.565989017 CET192.168.2.61.1.1.10x20d8Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:41.487689018 CET192.168.2.61.1.1.10xfbbcStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:46.519336939 CET192.168.2.61.1.1.10x54b4Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:51.519010067 CET192.168.2.61.1.1.10x535cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:56.502860069 CET192.168.2.61.1.1.10xf6daStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:01.580946922 CET192.168.2.61.1.1.10xdfc3Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:06.528724909 CET192.168.2.61.1.1.10x227dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:11.731105089 CET192.168.2.61.1.1.10xddeeStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:16.518600941 CET192.168.2.61.1.1.10xcc60Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:21.519117117 CET192.168.2.61.1.1.10x6c32Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:26.500370026 CET192.168.2.61.1.1.10x5b7aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:29.747972965 CET192.168.2.61.1.1.10xb903Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:31.518316031 CET192.168.2.61.1.1.10xd804Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:36.487960100 CET192.168.2.61.1.1.10xed8aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:41.488374949 CET192.168.2.61.1.1.10xf5a5Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:46.472109079 CET192.168.2.61.1.1.10x3510Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:51.471880913 CET192.168.2.61.1.1.10x3a8dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:56.473994970 CET192.168.2.61.1.1.10x399Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:01.472819090 CET192.168.2.61.1.1.10x7c00Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:06.471081018 CET192.168.2.61.1.1.10x1a54Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:11.485074043 CET192.168.2.61.1.1.10x68aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:16.471472025 CET192.168.2.61.1.1.10x23f6Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:21.472372055 CET192.168.2.61.1.1.10xdbbStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:26.472356081 CET192.168.2.61.1.1.10x8249Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:27.471332073 CET192.168.2.61.1.1.10x8249Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:29.978027105 CET192.168.2.61.1.1.10x6a7dStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:31.474014044 CET192.168.2.61.1.1.10x9cdcStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:36.471326113 CET192.168.2.61.1.1.10x6c7dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:41.471373081 CET192.168.2.61.1.1.10xf526Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:46.479295969 CET192.168.2.61.1.1.10xdd4Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:50.138089895 CET192.168.2.61.1.1.10xccbeStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:51.472042084 CET192.168.2.61.1.1.10x700fStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:56.498157024 CET192.168.2.61.1.1.10xd766Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:01.472426891 CET192.168.2.61.1.1.10xde8cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:06.480846882 CET192.168.2.61.1.1.10x2646Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:11.471900940 CET192.168.2.61.1.1.10x4d5dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:16.472244978 CET192.168.2.61.1.1.10x22fcStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:21.553386927 CET192.168.2.61.1.1.10x445Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:26.471424103 CET192.168.2.61.1.1.10x1bf4Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:31.471349955 CET192.168.2.61.1.1.10x502eStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:36.472717047 CET192.168.2.61.1.1.10x3559Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:41.471973896 CET192.168.2.61.1.1.10x19d7Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:46.479284048 CET192.168.2.61.1.1.10x18d4Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:50.403666019 CET192.168.2.61.1.1.10x9bf9Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:51.473115921 CET192.168.2.61.1.1.10x4fcaStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:56.472354889 CET192.168.2.61.1.1.10xd617Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:26:01.481699944 CET192.168.2.61.1.1.10xd2a9Standard query (0)host123.zz.amA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 19, 2024 14:22:22.834990025 CET1.1.1.1192.168.2.60x58e9Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:27.212347984 CET1.1.1.1192.168.2.60x8c9aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:29.008649111 CET1.1.1.1192.168.2.60xcaf8No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                              Nov 19, 2024 14:22:29.008649111 CET1.1.1.1192.168.2.60xcaf8No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:31.989084959 CET1.1.1.1192.168.2.60x9ef2Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:37.280649900 CET1.1.1.1192.168.2.60x20d8Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:41.992718935 CET1.1.1.1192.168.2.60xfbbcName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:47.037642956 CET1.1.1.1192.168.2.60x54b4Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:52.035088062 CET1.1.1.1192.168.2.60x535cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:22:57.037497997 CET1.1.1.1192.168.2.60xf6daName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:02.106961966 CET1.1.1.1192.168.2.60xdfc3Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:06.805108070 CET1.1.1.1192.168.2.60x227dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:11.739645004 CET1.1.1.1192.168.2.60xddeeName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:16.528870106 CET1.1.1.1192.168.2.60xcc60Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:21.527936935 CET1.1.1.1192.168.2.60x6c32Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:27.016908884 CET1.1.1.1192.168.2.60x5b7aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:30.405493021 CET1.1.1.1192.168.2.60xb903No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                              Nov 19, 2024 14:23:30.405493021 CET1.1.1.1192.168.2.60xb903No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:31.526123047 CET1.1.1.1192.168.2.60xd804Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:36.497149944 CET1.1.1.1192.168.2.60xed8aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:41.496196032 CET1.1.1.1192.168.2.60xf5a5Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:46.479165077 CET1.1.1.1192.168.2.60x3510Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:51.479136944 CET1.1.1.1192.168.2.60x3a8dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:23:56.980321884 CET1.1.1.1192.168.2.60x399Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:01.480438948 CET1.1.1.1192.168.2.60x7c00Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:06.478311062 CET1.1.1.1192.168.2.60x1a54Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:11.492769957 CET1.1.1.1192.168.2.60x68aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:16.998323917 CET1.1.1.1192.168.2.60x23f6Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:21.479693890 CET1.1.1.1192.168.2.60xdbbName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:27.518572092 CET1.1.1.1192.168.2.60x8249Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:27.518594980 CET1.1.1.1192.168.2.60x8249Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:29.986151934 CET1.1.1.1192.168.2.60x6a7dNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                              Nov 19, 2024 14:24:29.986151934 CET1.1.1.1192.168.2.60x6a7dNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:31.481399059 CET1.1.1.1192.168.2.60x9cdcName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:36.478465080 CET1.1.1.1192.168.2.60x6c7dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:41.478900909 CET1.1.1.1192.168.2.60xf526Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:46.486644983 CET1.1.1.1192.168.2.60xdd4Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:50.464437008 CET1.1.1.1192.168.2.60xccbeNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                              Nov 19, 2024 14:24:50.464437008 CET1.1.1.1192.168.2.60xccbeNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:51.479964018 CET1.1.1.1192.168.2.60x700fName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:24:56.505747080 CET1.1.1.1192.168.2.60xd766Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:01.480160952 CET1.1.1.1192.168.2.60xde8cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:06.488658905 CET1.1.1.1192.168.2.60x2646Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:11.480587959 CET1.1.1.1192.168.2.60x4d5dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:16.479940891 CET1.1.1.1192.168.2.60x22fcName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:21.560992956 CET1.1.1.1192.168.2.60x445Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:26.478992939 CET1.1.1.1192.168.2.60x1bf4Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:31.481870890 CET1.1.1.1192.168.2.60x502eName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:36.480129957 CET1.1.1.1192.168.2.60x3559Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:41.479402065 CET1.1.1.1192.168.2.60x19d7Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:46.486527920 CET1.1.1.1192.168.2.60x18d4Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:50.888892889 CET1.1.1.1192.168.2.60x9bf9No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                              Nov 19, 2024 14:25:50.888892889 CET1.1.1.1192.168.2.60x9bf9No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:51.483251095 CET1.1.1.1192.168.2.60x4fcaName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:25:56.481342077 CET1.1.1.1192.168.2.60xd617Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                              Nov 19, 2024 14:26:01.488898993 CET1.1.1.1192.168.2.60xd2a9Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:1
                                              Start time:08:21:54
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\loaddll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:loaddll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll"
                                              Imagebase:0xac0000
                                              File size:126'464 bytes
                                              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:08:21:55
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:08:21:55
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:08:21:55
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",#1
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:08:21:55
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,DoAddToFavDlg
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:6
                                              Start time:08:21:56
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:08:21:56
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:08:21:56
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\PING.EXE
                                              Wow64 process (32bit):true
                                              Commandline:ping 127.0.0.1 -n 3
                                              Imagebase:0x210000
                                              File size:18'944 bytes
                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:08:21:58
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,InputFile
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:08:22:01
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe C:\Users\user\Desktop\jYAKmjIPgI.dll,PrintFile
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:08:22:01
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 676
                                              Imagebase:0x5c0000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",InputFile
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:rundll32.exe "C:\Users\user\Desktop\jYAKmjIPgI.dll",PrintFile
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:19
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:08:22:04
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\PING.EXE
                                              Wow64 process (32bit):true
                                              Commandline:ping 127.0.0.1 -n 3
                                              Imagebase:0x210000
                                              File size:18'944 bytes
                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:08:22:05
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 676
                                              Imagebase:0x5c0000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:26
                                              Start time:08:22:32
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:08:22:32
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:08:22:32
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:29
                                              Start time:08:22:32
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\PING.EXE
                                              Wow64 process (32bit):true
                                              Commandline:ping 127.0.0.1 -n 3
                                              Imagebase:0x210000
                                              File size:18'944 bytes
                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:30
                                              Start time:08:22:40
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\jYAKmjIPgI.dll",DoAddToFavDlg
                                              Imagebase:0x6a0000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:31
                                              Start time:08:22:41
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:32
                                              Start time:08:22:41
                                              Start date:19/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:33
                                              Start time:08:22:41
                                              Start date:19/11/2024
                                              Path:C:\Windows\SysWOW64\PING.EXE
                                              Wow64 process (32bit):true
                                              Commandline:ping 127.0.0.1 -n 3
                                              Imagebase:0x210000
                                              File size:18'944 bytes
                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:11.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:7.9%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 411 771547 GetProcAddress 412 771525 LoadLibraryA 377 770063 378 770067 377->378 379 7700c3 378->379 380 77006b VirtualAlloc 378->380 380->379 381 770084 380->381 382 7700b5 VirtualFree 381->382 382->379 383 770cd0 387 770d32 383->387 385 770ce7 398 770cf9 385->398 388 770d3e 387->388 389 770d57 VirtualAlloc 388->389 392 770d86 389->392 390 770e28 MessageBoxA ExitProcess 391 770e42 393 770e70 VirtualFree 391->393 392->390 392->391 394 770dc7 392->394 393->385 395 770dd7 wsprintfA 394->395 396 770de7 394->396 395->396 396->390 399 770d29 398->399 400 770d57 VirtualAlloc 399->400 403 770d86 400->403 401 770e28 MessageBoxA ExitProcess 402 770e42 404 770e70 VirtualFree 402->404 403->401 403->402 405 770dc7 403->405 406 770de7 405->406 407 770e0c wsprintfA 405->407 406->401 407->406 408 7714c0 VirtualProtect 409 7714ff VirtualProtect 408->409 410 7714fb 408->410 410->409 413 770e9f 414 770ea9 LoadLibraryA 413->414 415 770ec1 414->415 415->414 416 770ec7 GetProcAddress 415->416 417 770ee4 415->417 416->415 418 770c8d 419 770caf 418->419 420 770d57 VirtualAlloc 419->420 423 770d86 420->423 421 770e28 MessageBoxA ExitProcess 422 770e42 424 770e70 VirtualFree 422->424 423->421 423->422 425 770dc7 423->425 426 770de7 425->426 427 770e0c wsprintfA 425->427 426->421 427->426 428 77002a 429 77002c 428->429 430 7700c3 429->430 436 770047 429->436 435 770056 VirtualFree 435->430 437 77004b 436->437 438 77003b 437->438 439 770063 2 API calls 437->439 440 770056 VirtualFree 437->440 438->435 442 770063 438->442 439->440 440->438 443 770067 442->443 444 7700c3 443->444 445 77006b VirtualAlloc 443->445 444->435 445->444 446 770084 445->446 447 7700b5 VirtualFree 446->447 447->444

                                                Callgraph

                                                Executed Functions

                                                Function 00770C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 00770D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 00770E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 00770E34
                                                • ExitProcess.KERNEL32(00000000), ref: 00770E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: f9ea4fa3134f3528d7e3d40e18e696f182ad04573423ae4cff10137fa11799b4
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: C0511631205785CFDB368F20CC44ADB3BB4AF06340F09859EED4A9B296EB78A814C791
                                                Function 00770CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 00770D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 00770E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 00770E34
                                                • ExitProcess.KERNEL32(00000000), ref: 00770E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 00770E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: a6090a9aab07893c103f56e2dda831adc74e19fe08c76f6eae7641282b5d6aa2
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: E5419D32200746DFEB34DF54CC44EEB73A5AF48391F048619EE4A97645EB74B811CB90
                                                Function 00770D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 00770D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 00770E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 00770E34
                                                • ExitProcess.KERNEL32(00000000), ref: 00770E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 00770E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: dece59db3ff28ff366dc4f638f27aae0e99dc34583ad18a59617825fea1ccc93
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: BA319A32201746DFDB399F24CC85FEB77A5AF45391F00851DEE4A97685EBB4A820CB90
                                                Function 007714C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 7714c0-7714f9 VirtualProtect 99 7714ff-771517 VirtualProtect 98->99 100 7714fb-7714fd 98->100 100->99
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 007714EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0077150D
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: b2240e6277a52948eb9d7c5aee263cdadcd1da4c592ba734316b1f12dfe799de
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: DCF0E933240245AFEF098F68D885EEE7768DF48398B20006AF7029A186CA71D551C754
                                                Function 00770063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 770063-770069 103 7700c3-7700c5 101->103 104 77006b-770082 VirtualAlloc 101->104 106 7700c6-7700ca 103->106 104->103 105 770084-7700b0 call 7700cd 104->105 109 7700b5-7700c1 VirtualFree 105->109 110 7700b2-7700b4 105->110 109->106 110->109
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0077007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 007700BE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: d06504679737233f59ff0a29ea6383c64921d8e1197461daaa3ffa079d33bf12
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: 2701A476209701BEEB314AA19C00F77BBDCDF49762F148C5AFAD9C1091D929E840DBB0
                                                Function 0077002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 77002a-77002e 113 770034-770043 call 770047 111->113 114 7700c3-7700c5 111->114 118 770045-770061 call 770063 113->118 119 7700aa-7700b0 113->119 116 7700c6-7700ca 114->116 118->119 121 7700b5-7700c1 VirtualFree 119->121 122 7700b2-7700b4 119->122 121->116 122->121
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 007700BE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: c99209691f2fc4f6ec508bccf3d2d78e4b8e4e258c58a086c67e9330e0dc8c27
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 07F0E92264A311E9FA1067347C49B67BB98DB43371B154997EC44D6092DD19D802C6E4

                                                Non-executed Functions

                                                Function 00770E9F Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 124 770e9f-770ea6 125 770ea9-770ebf LoadLibraryA 124->125 126 770ec1-770ec5 125->126 127 770ec7-770edb GetProcAddress 126->127 128 770edd-770ee2 126->128 127->126 128->125 129 770ee4-770ee8 128->129
                                                APIs
                                                • LoadLibraryA.KERNEL32 ref: 00770EAE
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00770ED0
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID:
                                                • API String ID: 2574300362-0
                                                • Opcode ID: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
                                                • Instruction ID: b0f5d0acaed97a3b8180b29d914621f33a2ccae69aee41be32ad03fc8670e721
                                                • Opcode Fuzzy Hash: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
                                                • Instruction Fuzzy Hash: 40F0A7B7A00104DFDB10CF18CCC09AAF3B1EF943A43298879D84AE7714D639FD559A50
                                                Function 007700CD Relevance: .8, Instructions: 823COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2250051290.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_770000_loaddll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
                                                • Instruction ID: ec3e86e4c55e33eb69e9f6818698cf1789d01a2237f7c333dfe5f3d00ff3b0c6
                                                • Opcode Fuzzy Hash: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
                                                • Instruction Fuzzy Hash: FE52F771608351CBDB08CF29C49016EFBE2FFD4384F158A2EE59A87394D775A949CB82

                                                Execution Graph

                                                Execution Coverage:9.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 408 298002a 409 298002c 408->409 414 2980056 409->414 417 2980047 409->417 412 29800aa VirtualFree 412->414 413 2980045 413->414 421 2980063 413->421 418 298004b 417->418 419 298003b 418->419 420 2980063 2 API calls 418->420 419->412 419->413 420->419 422 2980067 421->422 423 298006b VirtualAlloc 422->423 424 29800c3 422->424 423->424 425 2980084 423->425 424->414 426 29800b5 VirtualFree 425->426 426->424 427 2980c8d 428 2980caf 427->428 429 2980d57 VirtualAlloc 428->429 431 2980d86 429->431 430 2980e28 MessageBoxA ExitProcess 431->430 432 2980e42 431->432 434 2980dc7 431->434 433 2980e70 VirtualFree 432->433 435 2980e0c wsprintfA 434->435 436 2980de7 434->436 435->436 436->430 437 2980e9f 438 2980ea9 LoadLibraryA 437->438 439 2980ec1 438->439 439->438 440 2980ec7 GetProcAddress 439->440 441 2980ee4 439->441 440->439 374 2980cd0 378 2980d32 374->378 376 2980ce7 389 2980cf9 376->389 379 2980d3e 378->379 380 2980d57 VirtualAlloc 379->380 382 2980d86 380->382 381 2980e28 MessageBoxA ExitProcess 382->381 383 2980e42 382->383 385 2980dc7 382->385 384 2980e70 VirtualFree 383->384 384->376 386 2980dd7 wsprintfA 385->386 388 2980de7 385->388 386->388 388->381 390 2980d29 389->390 391 2980d57 VirtualAlloc 390->391 393 2980d86 391->393 392 2980e28 MessageBoxA ExitProcess 393->392 394 2980e42 393->394 396 2980dc7 393->396 395 2980e70 VirtualFree 394->395 397 2980e0c wsprintfA 396->397 398 2980de7 396->398 397->398 398->392 399 29814c0 VirtualProtect 400 29814fb 399->400 401 29814ff VirtualProtect 399->401 400->401 402 2980063 403 2980067 402->403 404 298006b VirtualAlloc 403->404 405 29800c3 403->405 404->405 406 2980084 404->406 407 29800b5 VirtualFree 406->407 407->405 442 2981525 LoadLibraryA 443 2981547 GetProcAddress

                                                Callgraph

                                                Executed Functions

                                                Function 02980C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02980D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02980E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02980E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02980E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: ce32b73caf013bb39451009590e96f9d91cbf92fe63a748b5ed67efb26487c77
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 2A5105321057859FDB369F20CC40BEB3BB9AF46304F09419EDD869B297EB34A819CB51
                                                Function 02980CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02980D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02980E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02980E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02980E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02980E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: 780c62c060a381c076a221d49c6d5fa9bd90c87c181cb05b4ee683e4223b51ac
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: 1F416C322007069FDB34AF14CC44FEB73A5AF48351F084519ED4AA7645EB71A915CB90
                                                Function 02980D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02980D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02980E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02980E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02980E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02980E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: e3c93f5ec77e2adb1d5431963f2e0d6ed50011f6d816012aefd4f3434705e623
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 8031AB322017469FDB39AF10CC84FEB77AAAF85351F08411DED4A97685EB70A815CB50
                                                Function 029814C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 29814c0-29814f9 VirtualProtect 99 29814fb-29814fd 98->99 100 29814ff-2981517 VirtualProtect 98->100 99->100
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 029814EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0298150D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 27e2e3b17cd744442ddce5325905b7f9b1ff7ab6e6a38016151a9a75775cb230
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: A1F0E933240245AFEB098F64D885EEE7768DF48398B20006AF7029A186CA71D551C754
                                                Function 02980063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 2980063-2980069 103 298006b-2980082 VirtualAlloc 101->103 104 29800c3-29800c5 101->104 103->104 105 2980084-29800a4 103->105 106 29800c6-29800ca 104->106 107 29800aa-29800b0 105->107 108 29800a5 call 29800cd 105->108 109 29800b2-29800b4 107->109 110 29800b5-29800c1 VirtualFree 107->110 108->107 109->110 110->104 110->106
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0298007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 029800BE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: 3d638f57ba3eb516575e1de1e4da313bcef51a6d41bf639236d32fbc6139e539
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: C001AF72209602BEE7316EA19C11F37BBECDF48712F184C5AFAD5C2090DA26E444DB70
                                                Function 0298002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 298002a-298002e 113 29800c3-29800c5 111->113 114 2980034-2980043 call 2980047 111->114 116 29800c6-29800ca 113->116 118 29800aa-29800b0 114->118 119 2980045-298004c 114->119 122 29800b2-29800b4 118->122 123 29800b5-29800c1 VirtualFree 118->123 120 2980056-2980061 119->120 121 2980051 call 2980063 119->121 120->113 121->120 122->123 123->113 123->116
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 029800BE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2183238283.0000000002980000.00000040.00001000.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2980000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: 1ec882a0d419b5c2648da585704e07a6e7d77eac7f29b100a8b8aa297d3bff71
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 51F02E2264E7116DF6107F347C55A27BB98DF43325B1D0D97DC40D60A1DD15D806CAE4

                                                Execution Graph

                                                Execution Coverage:4.6%
                                                Dynamic/Decrypted Code Coverage:11%
                                                Signature Coverage:1.1%
                                                Total number of Nodes:282
                                                Total number of Limit Nodes:12
                                                execution_graph 17424 10007101 17426 10007118 17424->17426 17429 100071a6 Sleep 17426->17429 17430 100071f7 wsprintfA 17426->17430 17433 10005c4c 17426->17433 17448 10003ef4 17426->17448 17451 100061bd 17426->17451 17429->17426 17470 1000570f 17430->17470 17434 10003ef4 wvsprintfA 17433->17434 17435 10005c86 17434->17435 17481 10003f72 PathFileExistsA 17435->17481 17437 10005c92 17438 10005c99 17437->17438 17439 10005c9d 17437->17439 17438->17426 17482 10004015 CreateFileA 17439->17482 17441 10005cbb 17441->17438 17483 10004035 ReadFile 17441->17483 17443 10005cd6 17484 10003f92 CloseHandle 17443->17484 17445 10005cdc 17485 10003f7d StrStrIA 17445->17485 17447 10005ce9 17447->17438 17486 10003ee1 wvsprintfA 17448->17486 17450 10003f06 17450->17426 17452 100061dd 17451->17452 17487 10003f0a InternetOpenA 17452->17487 17454 100061e4 17464 100061ee 17454->17464 17488 10003f24 InternetOpenUrlA 17454->17488 17456 10006206 17457 10006210 17456->17457 17458 10006219 17456->17458 17489 10003f58 InternetCloseHandle 17457->17489 17460 10006276 17458->17460 17466 1000621f 17458->17466 17492 10003f58 InternetCloseHandle 17460->17492 17462 10006216 17493 10003f58 InternetCloseHandle 17462->17493 17464->17426 17467 1000626c 17466->17467 17490 10003f41 InternetReadFile 17466->17490 17491 10003f92 CloseHandle 17467->17491 17469 10006274 17469->17460 17471 1000571c 17470->17471 17472 10005724 wsprintfA 17471->17472 17494 10005318 17472->17494 17474 10005776 wsprintfA wsprintfA 17496 10035e22 17474->17496 17481->17437 17482->17441 17483->17443 17484->17445 17485->17447 17486->17450 17487->17454 17488->17456 17489->17462 17490->17466 17491->17469 17492->17462 17493->17464 17495 10005325 17494->17495 17495->17474 17497 1003bf35 17496->17497 17511 10004482 17512 1000448d 17511->17512 17515 100040ba RegOpenKeyExA 17512->17515 17514 100044a4 17515->17514 17516 10006dc4 17517 10006dce 17516->17517 17518 10003ef4 wvsprintfA 17517->17518 17523 10006ec4 17517->17523 17519 10006e8f 17518->17519 17520 10003ef4 wvsprintfA 17519->17520 17521 10006eb8 17520->17521 17524 10006290 17521->17524 17525 100062a2 17524->17525 17534 10003f0a InternetOpenA 17525->17534 17527 100062a9 17533 100062da 17527->17533 17535 10003f24 InternetOpenUrlA 17527->17535 17529 100062c4 17536 10003f58 InternetCloseHandle 17529->17536 17531 100062d4 17537 10003f58 InternetCloseHandle 17531->17537 17533->17523 17534->17527 17535->17529 17536->17531 17537->17533 17538 10005846 17539 1000584d 17538->17539 17540 10005862 17539->17540 17542 10003eb4 gethostbyname 17539->17542 17542->17540 17651 10008567 Sleep 17652 1000858a 17651->17652 17653 100061bd 5 API calls 17652->17653 17654 100085b1 17653->17654 17655 100085ba Sleep 17654->17655 17656 100085c3 17654->17656 17655->17654 17543 2aa0063 17544 2aa0067 17543->17544 17545 2aa006b VirtualAlloc 17544->17545 17546 2aa00c3 17544->17546 17545->17546 17547 2aa0084 17545->17547 17548 2aa00b5 VirtualFree 17547->17548 17548->17546 17657 2aa14c0 VirtualProtect 17658 2aa14fb 17657->17658 17659 2aa14ff VirtualProtect 17657->17659 17658->17659 17660 1000826c 17665 100082a6 17660->17665 17661 10005c4c 6 API calls 17661->17665 17662 10003ef4 wvsprintfA 17662->17665 17663 100061bd 5 API calls 17663->17665 17664 1000838e Sleep 17664->17665 17665->17661 17665->17662 17665->17663 17665->17664 17667 100083df wsprintfA 17665->17667 17668 1000720e 17665->17668 17667->17665 17669 10007218 17668->17669 17671 1000726f 17669->17671 17673 1000756c 17669->17673 17697 10007a62 17669->17697 17671->17673 17701 1000504d 17671->17701 17673->17665 17674 10007404 17674->17673 17677 10007ccb MultiByteToWideChar 17674->17677 17675 100072b4 17675->17674 17705 10007ccb 17675->17705 17679 100074a5 17677->17679 17678 100072fb 17678->17674 17680 1000504d MultiByteToWideChar 17678->17680 17679->17673 17681 1000504d MultiByteToWideChar 17679->17681 17682 1000731d SafeArrayCreate VariantInit SafeArrayCreate VariantInit 17680->17682 17683 100074ca 17681->17683 17686 1000504d MultiByteToWideChar 17682->17686 17685 1000504d MultiByteToWideChar 17683->17685 17687 100074d9 SafeArrayCreate 17685->17687 17689 10007392 17686->17689 17690 10007519 17687->17690 17692 1000504d MultiByteToWideChar 17689->17692 17691 1000504d MultiByteToWideChar 17690->17691 17693 1000752f 17691->17693 17694 100073cb 17692->17694 17695 1000504d MultiByteToWideChar 17693->17695 17696 1000504d MultiByteToWideChar 17694->17696 17695->17673 17696->17674 17698 10007a6c 17697->17698 17699 1000504d MultiByteToWideChar 17698->17699 17700 10007ab6 17698->17700 17699->17700 17700->17671 17702 10005057 17701->17702 17704 10005078 17702->17704 17709 100050f5 17702->17709 17704->17675 17706 10007cd5 17705->17706 17707 1000504d MultiByteToWideChar 17706->17707 17708 10007ce9 17706->17708 17707->17708 17708->17678 17712 1000d0ae 17709->17712 17711 1000510c 17711->17704 17713 1000d0bd 17712->17713 17715 1000d0b9 17712->17715 17714 1000d0d6 MultiByteToWideChar 17713->17714 17714->17715 17715->17711 17716 100044ad 17718 10004489 17716->17718 17717 100044d9 GetExtendedUdpTable 17717->17718 17718->17716 17718->17717 17719 100044fe 17718->17719 17721 10004456 17718->17721 17720 10004509 GetExtendedUdpTable 17719->17720 17719->17721 17720->17721 17549 10004351 17551 1000436c 17549->17551 17550 10004370 17551->17550 17552 10004399 Sleep 17551->17552 17553 100043b3 17552->17553 17554 100043e0 Sleep 17553->17554 17555 100043ef 17554->17555 17555->17550 17556 10006ed6 17559 10006cf7 17556->17559 17569 10003ff7 GetShortPathNameA 17559->17569 17561 10006d32 17570 1000406c RegCreateKeyExA 17561->17570 17563 10006d60 wsprintfA 17564 10006d9a 17563->17564 17571 100040d4 RegSetValueExA 17564->17571 17566 10006db3 17572 10004092 RegCloseKey 17566->17572 17568 10006dbe 17569->17561 17570->17563 17571->17566 17572->17568 17722 100087b6 17723 100087bb CreateThread Sleep CreateThread Sleep 17722->17723 17724 100087eb 17723->17724 17725 1000841c 17723->17725 17730 10006a6e 17723->17730 17729 10008429 17725->17729 17726 100085ba Sleep 17727 1000855a Sleep 17727->17729 17729->17726 17729->17727 17731 10006a82 17730->17731 17740 10003ece CreateMutexA 17731->17740 17733 10006aa3 GetLastError 17734 10006b0b 17733->17734 17735 10006ab4 17733->17735 17737 10006ae1 CreateThread 17735->17737 17738 10006ad8 Sleep 17735->17738 17741 10006499 17735->17741 17739 10006b02 17737->17739 17760 1000687e 14 API calls 17737->17760 17738->17735 17739->17738 17740->17733 17742 100064a3 17741->17742 17743 100064e9 wsprintfA 17742->17743 17744 10006508 17743->17744 17757 10003f0a InternetOpenA 17744->17757 17746 1000652b 17747 100066d0 17746->17747 17758 10003f24 InternetOpenUrlA 17746->17758 17747->17735 17749 1000654b 17749->17747 17755 10006559 ctype 17749->17755 17751 100065bf MultiByteToWideChar 17751->17755 17752 100065d7 MultiByteToWideChar 17752->17755 17753 100066df wsprintfA 17756 100066b0 ctype 17753->17756 17754 10006647 17754->17753 17754->17756 17755->17751 17755->17752 17755->17754 17759 10003f41 InternetReadFile 17755->17759 17756->17747 17757->17746 17758->17749 17759->17755 17761 100081f7 17762 10008200 17761->17762 17764 1000825f Sleep 17762->17764 17765 10007f3e 8 API calls 17762->17765 17766 1000400a GetDriveTypeA 17762->17766 17764->17762 17765->17762 17766->17762 17767 2aa0cd0 17771 2aa0d32 17767->17771 17769 2aa0ce7 17782 2aa0cf9 17769->17782 17772 2aa0d3e 17771->17772 17773 2aa0d57 VirtualAlloc 17772->17773 17775 2aa0d86 17773->17775 17774 2aa0e28 MessageBoxA ExitProcess 17775->17774 17776 2aa0e42 17775->17776 17778 2aa0dc7 17775->17778 17777 2aa0e70 VirtualFree 17776->17777 17777->17769 17779 2aa0dd7 wsprintfA 17778->17779 17781 2aa0de7 17778->17781 17779->17781 17781->17774 17783 2aa0d29 17782->17783 17784 2aa0d57 VirtualAlloc 17783->17784 17786 2aa0d86 17784->17786 17785 2aa0e28 MessageBoxA ExitProcess 17786->17785 17787 2aa0e42 17786->17787 17789 2aa0dc7 17786->17789 17788 2aa0e70 VirtualFree 17787->17788 17790 2aa0e0c wsprintfA 17789->17790 17791 2aa0de7 17789->17791 17790->17791 17791->17785 17573 10006ede 17574 10006eeb 17573->17574 17575 10006f1f Sleep 17574->17575 17576 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 17574->17576 17582 10006f2c 17574->17582 17575->17574 17576->17574 17577 10005c4c 6 API calls 17577->17582 17578 10003ef4 wvsprintfA 17578->17582 17579 100061bd 5 API calls 17579->17582 17580 10007053 Sleep 17580->17582 17581 10007092 wsprintfA 17581->17582 17582->17577 17582->17578 17582->17579 17582->17580 17582->17581 17583 100070c8 PrintFile PrintFile 17582->17583 17583->17582 17584 10006b1f 17585 10006b3c 17584->17585 17592 10003ece CreateMutexA 17585->17592 17587 10006b50 GetLastError 17588 10006b61 CreateThread 17587->17588 17591 10006b90 17587->17591 17589 10006b7b 17588->17589 17593 1000687e 17588->17593 17590 10006b83 Sleep 17589->17590 17590->17588 17592->17587 17594 100068aa 17593->17594 17601 10005db4 17594->17601 17596 100068ec 17597 100068c0 17597->17596 17598 10005f15 8 API calls 17597->17598 17613 10005f98 17597->17613 17622 10003f63 ExitWindowsEx 17597->17622 17598->17597 17602 10005de5 17601->17602 17606 10005e1e 17602->17606 17623 1000409d RegQueryValueExA 17602->17623 17604 10005e16 17641 10004092 RegCloseKey 17604->17641 17607 10003ef4 wvsprintfA 17606->17607 17608 10005e89 17607->17608 17624 10005cf7 17608->17624 17611 10003ef4 wvsprintfA 17612 10005ee1 17611->17612 17612->17597 17614 10005fb9 17613->17614 17615 10003ef4 wvsprintfA 17613->17615 17648 10004015 CreateFileA 17614->17648 17615->17614 17617 10005fd9 17621 10005fe3 17617->17621 17649 10003f9d WriteFile 17617->17649 17619 10005fff 17650 10003f92 CloseHandle 17619->17650 17621->17597 17622->17597 17623->17604 17625 10003ef4 wvsprintfA 17624->17625 17626 10005d31 17625->17626 17642 10003f72 PathFileExistsA 17626->17642 17628 10005d3d 17629 10005d48 17628->17629 17630 10005d44 17628->17630 17643 10004015 CreateFileA 17629->17643 17630->17611 17630->17612 17632 10005d66 17632->17630 17644 10004035 ReadFile 17632->17644 17634 10005d81 17645 10003f92 CloseHandle 17634->17645 17636 10005d87 17646 10003f7d StrStrIA 17636->17646 17638 10005d94 17638->17630 17647 10003f7d StrStrIA 17638->17647 17640 10005da8 17640->17630 17641->17606 17642->17628 17643->17632 17644->17634 17645->17636 17646->17638 17647->17640 17648->17617 17649->17619 17650->17621

                                                Executed Functions

                                                Function 10007F3E Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 230COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$12010043$L2ltYWdlLnBocA==$NPKI$P
                                                • API String ID: 0-3984435826
                                                • Opcode ID: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                                • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                • Opcode Fuzzy Hash: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                                • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CreateSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 3332741929-0
                                                • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                                • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                                Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                • Sleep.KERNEL32 ref: 10007059
                                                • wsprintfA.USER32 ref: 1000709D
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000), ref: 100070D6
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000,?,00000000), ref: 100070E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FilePrintSleep$wsprintf
                                                • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                • API String ID: 1547040302-3813294871
                                                • Opcode ID: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                                • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                • Opcode Fuzzy Hash: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                                • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                  • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                  • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,76230ECC,0007D000,00000000,00000000), ref: 100065C8
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,76230ECC,0007D000,00000000,00000000), ref: 100065E6
                                                • wsprintfA.USER32 ref: 100066E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                • API String ID: 4077377486-2496724313
                                                • Opcode ID: c3904df0163014b294ad3428c8b46474ddc640335be8714e90fc727204d8a3f7
                                                • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                • Opcode Fuzzy Hash: c3904df0163014b294ad3428c8b46474ddc640335be8714e90fc727204d8a3f7
                                                • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                Function 02AA0C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 189 2aa0c8d-2aa0cc8 call 2aa0cc2 192 2aa0cca-2aa0ccc 189->192 193 2aa0d05-2aa0d27 189->193 192->193 194 2aa0d29-2aa0d2e 193->194 195 2aa0d3e-2aa0d8e call 2aa0e91 VirtualAlloc call 2aa116c 193->195 194->195 196 2aa0d30-2aa0d3c 194->196 201 2aa0e28-2aa0e3c MessageBoxA ExitProcess 195->201 202 2aa0d94-2aa0db3 call 2aa10ca call 2aa0fe5 call 2aa0eeb 195->202 196->195 209 2aa0db9-2aa0dc5 call 2aa1338 202->209 210 2aa0e42-2aa0e4b 202->210 209->210 217 2aa0dc7-2aa0dd5 209->217 212 2aa0e4d-2aa0e5f 210->212 213 2aa0e62-2aa0e90 call 2aa14b2 VirtualFree 210->213 212->213 218 2aa0ddf-2aa0de5 217->218 219 2aa0dd7-2aa0ddd 217->219 221 2aa0de7-2aa0e03 218->221 222 2aa0e05-2aa0e0b 218->222 220 2aa0e0c-2aa0e1c wsprintfA 219->220 223 2aa0e22 220->223 221->223 222->220 223->201
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02AA0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02AA0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02AA0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02AA0E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 59bab92d8c94781c987feb55c503cd3bf1d15ba88cc78bc55724fb4a7986805a
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 975104321457859FDB368F20CCA0BEB7BB5AF06304F09419EDD869B296EF34A815CB51
                                                Function 02AA0CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 225 2aa0cf9-2aa0d27 226 2aa0d29-2aa0d2e 225->226 227 2aa0d3e-2aa0d8e call 2aa0e91 VirtualAlloc call 2aa116c 225->227 226->227 228 2aa0d30-2aa0d3c 226->228 233 2aa0e28-2aa0e3c MessageBoxA ExitProcess 227->233 234 2aa0d94-2aa0db3 call 2aa10ca call 2aa0fe5 call 2aa0eeb 227->234 228->227 241 2aa0db9-2aa0dc5 call 2aa1338 234->241 242 2aa0e42-2aa0e4b 234->242 241->242 249 2aa0dc7-2aa0dd5 241->249 244 2aa0e4d-2aa0e5f 242->244 245 2aa0e62-2aa0e90 call 2aa14b2 VirtualFree 242->245 244->245 250 2aa0ddf-2aa0de5 249->250 251 2aa0dd7-2aa0ddd 249->251 253 2aa0de7-2aa0e03 250->253 254 2aa0e05-2aa0e0b 250->254 252 2aa0e0c-2aa0e1c wsprintfA 251->252 255 2aa0e22 252->255 253->255 254->252 255->233
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02AA0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02AA0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02AA0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02AA0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02AA0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: 39909e013bf650f4f58e0b1fd04df74cf270c0beee1ff615f6271ea623676a53
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: 36416A322407469FEB389F14CC94FEB73A5AF48351F044219EE4AA7684EF71A9158B90
                                                Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                  • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2
                                                  • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseFormatQueryTimeValue___crt
                                                • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                • API String ID: 271660946-3893357082
                                                • Opcode ID: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                                • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                • Opcode Fuzzy Hash: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                                • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                Function 02AA0D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02AA0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 02AA0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02AA0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 02AA0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02AA0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: d018b939d58487c2706794ba3bde5bf1de88aa0e44895358cb691511af8cc1a5
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 2D3186322417469FDB399F20CC94FEB77AAAF45351F04411DEE4A97685EF71A820CB50
                                                Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                  • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                • wsprintfA.USER32 ref: 10006D88
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                  • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,dtfd,00000000,00000001,?,00000001,?), ref: 100040E9
                                                  • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                • String ID: %s "%s",DoAddToFavDlg$C:\Users\user\Desktop\jYAKmjIPgI.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                • API String ID: 1762869224-168146514
                                                • Opcode ID: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                                • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                • Opcode Fuzzy Hash: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                                • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                • wsprintfA.USER32 ref: 100083E6
                                                Strings
                                                • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                • 127.0.0.1, xrefs: 100083F4
                                                • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                • 8.8.8.8, xrefs: 100083EF
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleepwsprintf
                                                • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                • API String ID: 1749205058-626475063
                                                • Opcode ID: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                                • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                • Opcode Fuzzy Hash: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                                • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                • GetLastError.KERNEL32 ref: 10006AA8
                                                  • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                • String ID: 0x5d65r455f$5762479093
                                                • API String ID: 3244495550-2446933972
                                                • Opcode ID: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                                • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                • Opcode Fuzzy Hash: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                                • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(00002710), ref: 1000857E
                                                • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                • API String ID: 3472027048-3516831565
                                                • Opcode ID: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                                • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                • Opcode Fuzzy Hash: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                                • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 100044E9
                                                • GetExtendedUdpTable.IPHLPAPI(?,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 10004513
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ExtendedTable
                                                • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                • API String ID: 2407854163-1809394930
                                                • Opcode ID: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                                • Instruction ID: 6449560a486cb6172ee975f2d37c1f40bf8993c7a1880d61e14318031523e361
                                                • Opcode Fuzzy Hash: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                                • Instruction Fuzzy Hash: D1215CB5500508BFEB20DB69DC46EAF77BCDF813D1F214519F9119A086DE30AE808674
                                                Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                Strings
                                                • svchsot.exe, xrefs: 10008524
                                                • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                • API String ID: 3472027048-2214221337
                                                • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                Function 100087B6 Relevance: 6.0, APIs: 4, Instructions: 27sleepthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
                                                • Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
                                                • CreateThread.KERNEL32(?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
                                                • Sleep.KERNEL32(000000FF,?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CreateSleepThread
                                                • String ID:
                                                • API String ID: 4202482776-0
                                                • Opcode ID: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                                • Instruction ID: 2df9746d7e78e8372c6e87ac4aa0691d1060a96339f5c4ce5d4c7b8b7a8da0f8
                                                • Opcode Fuzzy Hash: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                                • Instruction Fuzzy Hash: 46E05EE024435DBDF321B2791CC8DFF1E0DEB812FCB254252F528100CB6A540D048AB2
                                                Function 10006B1F Relevance: 4.6, APIs: 3, Instructions: 122sleepthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                • GetLastError.KERNEL32 ref: 10006B55
                                                • CreateThread.KERNEL32(?,?,1000687E), ref: 10006B6B
                                                • Sleep.KERNEL32(00002710,?,00000000,00000000,000000FF,?,?,1000687E), ref: 10006B88
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Create$ErrorLastMutexSleepThread
                                                • String ID:
                                                • API String ID: 145085098-0
                                                • Opcode ID: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                                • Instruction ID: 4f35827bfa7b5ea93410d600da94e256639eda4c8ceaa52b9f8b13dee9a51c26
                                                • Opcode Fuzzy Hash: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                                • Instruction Fuzzy Hash: 463182714043905EF716DB284C45EA7BFAEDF5A390B14416AF8A5CB287D620D941C771
                                                Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • http://107.160.131.254:23588/article.php, xrefs: 1000716B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleepwsprintf
                                                • String ID: http://107.160.131.254:23588/article.php
                                                • API String ID: 1749205058-3833642815
                                                • Opcode ID: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                                • Instruction ID: aabc6cc0ccec88c78b37051fa20fdae4f9ca8aa4d7268392f08ad21868547801
                                                • Opcode Fuzzy Hash: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                                • Instruction Fuzzy Hash: 462129B6D046557AF724D368CC56FCF37ACEF053D0F2000A6F608A50C6E679AE818A11
                                                Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                Strings
                                                • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FormatInternetOpenTime___crt
                                                • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                • API String ID: 483802873-1756078650
                                                • Opcode ID: 958d10e8dd0a11b106b86c41bd1f14c2109df9aed52d4faf27bdb7eed6aa23fd
                                                • Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
                                                • Opcode Fuzzy Hash: 958d10e8dd0a11b106b86c41bd1f14c2109df9aed52d4faf27bdb7eed6aa23fd
                                                • Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660
                                                Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                                  • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                Strings
                                                • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InternetOpen$FormatTime___crt
                                                • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                                • API String ID: 1165476586-1918919809
                                                • Opcode ID: 6dd616fe18b4dc7dc232f498d1d56e002bf1131066ec89318103dde342ec69ca
                                                • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                                • Opcode Fuzzy Hash: 6dd616fe18b4dc7dc232f498d1d56e002bf1131066ec89318103dde342ec69ca
                                                • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                                Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: C:\Program Files
                                                • API String ID: 3472027048-1387799010
                                                • Opcode ID: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                                • Instruction ID: c9703108929f2dc2805788eab40c91aa3f5a92b87bc929f4f41ff718cce9746c
                                                • Opcode Fuzzy Hash: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                                • Instruction Fuzzy Hash: 40F0723A905AA1A6F701DFA409C068B776DFF022A0B210026F840BF047C7B18E0243E2
                                                Function 02AA14C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 02AA14EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 02AA150D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 3f28350b2dac319d535727f70de8080369d108ce07111fdbbd555f18511d620f
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: A0F0E973240245AFEB098F68D895EEE7768DF48398B20006AF7029E186CA71D551C754
                                                Function 02AA0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02AA007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 02AA00BE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: d3e580b528e8d6b3ece3e1147ec6be1c5ef3d972388b2139c1c02c6f829b2de1
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: BC018C72209602BEE7324AA19C61F37BBECDF49712F144C5AFAD5C2090DF26E4408B70
                                                Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                • Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
                                                • Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                • Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91
                                                Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                • Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
                                                • Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                • Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1
                                                Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InternetOpen
                                                • String ID:
                                                • API String ID: 2038078732-0
                                                • Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                • Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
                                                • Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                • Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95
                                                Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CreateMutex
                                                • String ID:
                                                • API String ID: 1964310414-0
                                                • Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                • Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
                                                • Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                • Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02
                                                Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: NamePathShort
                                                • String ID:
                                                • API String ID: 1295925010-0
                                                • Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                • Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
                                                • Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                • Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12
                                                Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FirstProcess32
                                                • String ID:
                                                • API String ID: 2623510744-0
                                                • Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                • Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
                                                • Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                • Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12
                                                Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • Process32Next.KERNEL32(00000000,00000000), ref: 1000411D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: NextProcess32
                                                • String ID:
                                                • API String ID: 1850201408-0
                                                • Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                • Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
                                                • Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                • Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12
                                                Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDriveTypeA.KERNEL32(?,1000824C,10015940), ref: 1000400E
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: DriveType
                                                • String ID:
                                                • API String ID: 338552980-0
                                                • Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                • Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
                                                • Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                • Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01
                                                Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                • Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
                                                • Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                • Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01
                                                Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • gethostbyname.WS2_32(00000000), ref: 10003EB8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: gethostbyname
                                                • String ID:
                                                • API String ID: 930432418-0
                                                • Opcode ID: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                • Instruction ID: ddc175de635f80408d7ee48a1059bf0ffdd1ba2c9e36570999931cb834b2f0bc
                                                • Opcode Fuzzy Hash: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                • Instruction Fuzzy Hash: F7900270545110ABDE015B21CF4A4097A61AB85B01B048454E14940031C7318810EA12
                                                Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID:
                                                • API String ID: 1174141254-0
                                                • Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                • Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
                                                • Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                • Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01
                                                Function 02AA002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 02AA00BE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4613189163.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2aa0000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: 16d71b4607f4f38cde7ce6908b455d0c1a70ec1279dfb5d9aeeaf38bae5c86e5
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: BDF02E3254A3116DF61177357DA6B27BB98DF43325B150DA7DC40D7091DF11D8028AE4

                                                Non-executed Functions

                                                Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FileInternetRead
                                                • String ID:
                                                • API String ID: 778332206-0
                                                • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                                • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                                Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ExitWindows
                                                • String ID:
                                                • API String ID: 1089080001-0
                                                • Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                • Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
                                                • Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                • Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02
                                                Function 10008AAD Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                                • Instruction ID: 9deb1ace0ade157a7cf376dc79b16b2541233208deadd1a3cef8bf08dc3f5488
                                                • Opcode Fuzzy Hash: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                                • Instruction Fuzzy Hash: 43F0682128E3C15DE30186685441BC1FF846B76314F0CC7CDB1D40B283C1954084CBA6
                                                Function 1001E1FE Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                                • Instruction ID: f0cb1bca0584f7cb9865d2b0003cd1252f49916ae924d73bcd8c513b2b9b2d6d
                                                • Opcode Fuzzy Hash: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                                • Instruction Fuzzy Hash: 11E0E5A440C38AFEC703AB3488840E93FA6EE91310F04840CF4C403A02E3B589A09332
                                                Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                • VariantInit.OLEAUT32(?), ref: 1000734D
                                                • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                • VariantInit.OLEAUT32(?), ref: 10007377
                                                  • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                • VariantInit.OLEAUT32(?), ref: 10007513
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant$ArrayCreateSafe
                                                • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Dv
                                                • API String ID: 2640012081-2802282100
                                                • Opcode ID: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                                • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                • Opcode Fuzzy Hash: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                                • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf
                                                • String ID: %s\%s$%s\version.txt$12010043$12010043$C:\Users\user\Desktop$C:\Users\user\Desktop\12010043$C:\Users\user\Desktop\jYAKmjIPgI.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB2D2496$M%s$Mhost123.zz.am:6658$host123.zz.am:6658
                                                • API String ID: 2111968516-2271793361
                                                • Opcode ID: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                                • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                • Opcode Fuzzy Hash: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                                • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 10005009
                                                • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 1000500F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Dv$svchost.exe$svchost.exe -k NetworkService
                                                • API String ID: 1927566239-2472453162
                                                • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 1000574F
                                                • wsprintfA.USER32 ref: 100057B1
                                                • wsprintfA.USER32 ref: 100057C5
                                                • PrintFile.JYAKMJIPGI(?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000,?,1000720C), ref: 100057E8
                                                • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,00000000), ref: 10005835
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$CreateFilePrintThread
                                                • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                • API String ID: 1788855648-1421401311
                                                • Opcode ID: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                                • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                • Opcode Fuzzy Hash: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                                • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 10005437
                                                • wsprintfA.USER32 ref: 1000549E
                                                • wsprintfA.USER32 ref: 100054BC
                                                • PrintFile.JYAKMJIPGI(?,?,10016594,?,00000000), ref: 100054DE
                                                • wsprintfA.USER32 ref: 10005582
                                                • Sleep.KERNEL32(000003E8,00000000,76938400,?,40000000,00000001,00000000,00000002,00000000,00000000,75C0C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                Strings
                                                • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                • %s\%s, xrefs: 10005431
                                                • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$FilePrintSleep
                                                • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                • API String ID: 518940211-4228670124
                                                • Opcode ID: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                                • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                • Opcode Fuzzy Hash: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                                • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(?,?,?,cmd.exe), ref: 100043A6
                                                • Sleep.KERNEL32(000003E8), ref: 100043E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                                • API String ID: 3472027048-2620343502
                                                • Opcode ID: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                                • Instruction ID: 2962837d3e63ffe82077fec71eea4cc39f059f6aab2461bdb2792d37a05628b4
                                                • Opcode Fuzzy Hash: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                                • Instruction Fuzzy Hash: 370126BA000394BAFB12BB74EC46F9E3B5CDF452E2F120016F9446D086CEB5AA804565
                                                Function 10005F15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?,000000BC,00000000,?,00000128,00000000), ref: 10005F21
                                                  • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,00000000,00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?), ref: 10004132
                                                  • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                  • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(00000000,00000010,?,00000000,00000000,10005F7E,?,10005F7E,00000000,00000000,?,00000010,00000000,00000000), ref: 10004064
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                • API String ID: 3793502078-2560215372
                                                • Opcode ID: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                                • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                • Opcode Fuzzy Hash: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                                • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                                • API String ID: 1721638100-4017829776
                                                • Opcode ID: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                                • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                • Opcode Fuzzy Hash: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                                • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                                • API String ID: 1721638100-989879249
                                                • Opcode ID: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                                • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                • Opcode Fuzzy Hash: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                                • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660
                                                Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • C:\Users\user\Desktop, xrefs: 1000880B
                                                • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleepwsprintf
                                                • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                • API String ID: 1749205058-14318009
                                                • Opcode ID: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                                • Instruction ID: cb8f3af107b47666e7401f40fe0349a9d09f1feb376e898973d7629cffdb37cc
                                                • Opcode Fuzzy Hash: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                                • Instruction Fuzzy Hash: 00F0AEF250019DABEB15CBA4CC857EA3768FF04285F040975F705F5051DBB19AC44A55
                                                Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: $p=Dv
                                                • API String ID: 1927566239-3905987846
                                                • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                  • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.4666797038.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000005.00000002.4666767060.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666832555.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666860577.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666895226.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666937266.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.4666975760.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                                • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                • API String ID: 3486561800-2560215372
                                                • Opcode ID: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                                • Instruction ID: 2e9b22e8cb94d114ab57fa925500967999958ebf182bde47e5e7f2d31677baea
                                                • Opcode Fuzzy Hash: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                                • Instruction Fuzzy Hash: 23E0687290112432E670D1669C07FCF3E9CDB857F4F000220B688E60C4DAB4AAC4C6E0

                                                Execution Graph

                                                Execution Coverage:9.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 408 5b002a 409 5b002c 408->409 410 5b0056 409->410 417 5b0047 409->417 413 5b0045 413->410 421 5b0063 413->421 415 5b00aa VirtualFree 415->410 418 5b004b 417->418 419 5b003b 418->419 420 5b0063 2 API calls 418->420 419->413 419->415 420->419 422 5b0067 421->422 423 5b006b VirtualAlloc 422->423 424 5b00c3 422->424 423->424 425 5b0084 423->425 424->410 426 5b00b5 VirtualFree 425->426 426->424 427 5b0e9f 428 5b0ea9 LoadLibraryA 427->428 429 5b0ec1 428->429 429->428 430 5b0ec7 GetProcAddress 429->430 431 5b0ee4 429->431 430->429 432 5b0c8d 433 5b0caf 432->433 434 5b0d57 VirtualAlloc 433->434 436 5b0d86 434->436 435 5b0e28 MessageBoxA ExitProcess 436->435 437 5b0e42 436->437 439 5b0dc7 436->439 438 5b0e70 VirtualFree 437->438 440 5b0e0c wsprintfA 439->440 441 5b0de7 439->441 440->441 441->435 374 5b0063 375 5b0067 374->375 376 5b006b VirtualAlloc 375->376 377 5b00c3 375->377 376->377 378 5b0084 376->378 379 5b00b5 VirtualFree 378->379 379->377 380 5b0cd0 384 5b0d32 380->384 382 5b0ce7 395 5b0cf9 382->395 385 5b0d3e 384->385 386 5b0d57 VirtualAlloc 385->386 388 5b0d86 386->388 387 5b0e28 MessageBoxA ExitProcess 388->387 389 5b0e42 388->389 391 5b0dc7 388->391 390 5b0e70 VirtualFree 389->390 390->382 392 5b0dd7 wsprintfA 391->392 394 5b0de7 391->394 392->394 394->387 396 5b0d29 395->396 397 5b0d57 VirtualAlloc 396->397 399 5b0d86 397->399 398 5b0e28 MessageBoxA ExitProcess 399->398 400 5b0e42 399->400 402 5b0dc7 399->402 401 5b0e70 VirtualFree 400->401 403 5b0e0c wsprintfA 402->403 404 5b0de7 402->404 403->404 404->398 405 5b14c0 VirtualProtect 406 5b14fb 405->406 407 5b14ff VirtualProtect 405->407 406->407 442 5b1547 GetProcAddress 443 5b1525 LoadLibraryA

                                                Callgraph

                                                Executed Functions

                                                Function 005B0C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 005B0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 005B0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 005B0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 005B0E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 0f44e007386cdb1d21946a062e5547de05adbe24404e39b548d55d5cc936813f
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: FE51E1311057869FDB368F20CC54AEB3BB9AF46300F09459AED469B2D6EB34F815CB51
                                                Function 005B0CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 005B0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 005B0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 005B0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 005B0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 005B0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: 1b0899b30b9593fb3a8a976a18ead27e5e1d36bc08090ea66b435afaaef0ad9f
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: 1A416A322007069FEB389F54CC45EEB77A9BF48351F044619EE46A7689EB70F911CB94
                                                Function 005B0D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 005B0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 005B0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 005B0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 005B0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 005B0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: b4cbd4bb133fcae002fb393b75ca165dfef79070efac63c710ddaebd56e093d1
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 3B31863220174A9FDB399F10CC89EEB7BA9BF85351F004519EE4697685EB70F810CB54
                                                Function 005B14C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 5b14c0-5b14f9 VirtualProtect 99 5b14fb-5b14fd 98->99 100 5b14ff-5b1517 VirtualProtect 98->100 99->100
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 005B14EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 005B150D
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 8a6f41d2a77518f69bb2bf10cfe77241214b6239562e2473ff1ee007e1875e6c
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: 2EF0E933240245AFEF098F64D895EEE7B68DF48398B20006AF7029A186CA71E551C754
                                                Function 005B0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 5b0063-5b0069 103 5b006b-5b0082 VirtualAlloc 101->103 104 5b00c3-5b00c5 101->104 103->104 105 5b0084-5b00a4 103->105 106 5b00c6-5b00ca 104->106 107 5b00aa-5b00b0 105->107 108 5b00a5 call 5b00cd 105->108 109 5b00b2-5b00b4 107->109 110 5b00b5-5b00c1 VirtualFree 107->110 108->107 109->110 110->104 110->106
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005B007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 005B00BE
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: 721cbd7b164544a6e5a6c68445f9d2dbe2e8ca7527a411e79522cce4c4f2818d
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: 520181722096067EE7316AA19C04F77BFDCEF48722F144C5AFAD5C1091D925E8409B70
                                                Function 005B002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 5b002a-5b002e 113 5b00c3-5b00c5 111->113 114 5b0034-5b0043 call 5b0047 111->114 116 5b00c6-5b00ca 113->116 118 5b00aa-5b00b0 114->118 119 5b0045-5b004c 114->119 122 5b00b2-5b00b4 118->122 123 5b00b5-5b00c1 VirtualFree 118->123 120 5b0056-5b0061 119->120 121 5b0051 call 5b0063 119->121 120->113 121->120 122->123 123->113 123->116
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 005B00BE
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2187882722.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_5b0000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: d4d1eacd8e6d88c2942f78f139dc03da5d345f3fcba870659c8e8d777b68c05c
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: B4F0E92254A31A6DF62077357C4DBA7BF98FB42321B551D97EC40D60D2DD11E80296A4

                                                Execution Graph

                                                Execution Coverage:1.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:31
                                                Total number of Limit Nodes:2
                                                execution_graph 17346 4760063 17347 4760067 17346->17347 17348 47600c3 17347->17348 17349 476006b VirtualAlloc 17347->17349 17349->17348 17351 4760084 17349->17351 17350 47600b5 VirtualFree 17350->17348 17351->17350 17321 4760cd0 17325 4760d32 17321->17325 17323 4760ce7 17336 4760cf9 17323->17336 17326 4760d3e 17325->17326 17327 4760d57 VirtualAlloc 17326->17327 17330 4760d86 17327->17330 17328 4760e28 MessageBoxA ExitProcess 17329 4760e42 17331 4760e70 VirtualFree 17329->17331 17330->17328 17330->17329 17332 4760dc7 17330->17332 17331->17323 17333 4760dd7 wsprintfA 17332->17333 17335 4760de7 17332->17335 17333->17335 17335->17328 17337 4760d29 17336->17337 17338 4760d57 VirtualAlloc 17337->17338 17341 4760d86 17338->17341 17339 4760e28 MessageBoxA ExitProcess 17340 4760e42 17342 4760e70 VirtualFree 17340->17342 17341->17339 17341->17340 17343 4760dc7 17341->17343 17344 4760e0c wsprintfA 17343->17344 17345 4760de7 17343->17345 17344->17345 17345->17339 17352 47614c0 VirtualProtect 17353 47614ff VirtualProtect 17352->17353 17354 47614fb 17352->17354 17354->17353

                                                Executed Functions

                                                Function 1000CCF2 Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 12010043
                                                • API String ID: 0-1530405306
                                                • Opcode ID: 244b7cbdff811d894f755473b4da469e1646f99ca6ba9c142f7eec193f4a55a6
                                                • Instruction ID: d8f586cfb2acdd232f2dfe4693d98a20b48973cb1efe48d49be8cb568dbb4cca
                                                • Opcode Fuzzy Hash: 244b7cbdff811d894f755473b4da469e1646f99ca6ba9c142f7eec193f4a55a6
                                                • Instruction Fuzzy Hash:
                                                Function 04760C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04760D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04760E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04760E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04760E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 2186a02cb1e5986353d4e4ad4e53f126c3bac5fc70828e01c5410af7f451749c
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: F751C1312057859FDB36DF20CC54ADA3BB6AF06204F09419ADD479B296EB34B815CB51
                                                Function 04760CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04760D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04760E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04760E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04760E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04760E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: b06c87a970af6d1f69a4af1181e715b7fdf29962dcf3f6e7b9e784475fa05504
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: 86418A322007569BEB38DF24CC48EEB73A6EF48355F044618EE47A7784EB70B8158B90
                                                Function 04760D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04760D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04760E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04760E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04760E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04760E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: b5c5ef8b747907bc1ca925138b38294d7acb592bc79b95bd8812d803627d9089
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 4E3188322417869FEB39DF20CC88EEB77A6AF45355F00411DED4697685EB70B810CB50
                                                Function 047614C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 137 47614c0-47614f9 VirtualProtect 138 47614ff-4761517 VirtualProtect 137->138 139 47614fb-47614fd 137->139 139->138
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 047614EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0476150D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 8d2a4c20126dc25aa5f8bd2f72a24814c118ac7613ab354e2fa374d0e7b920e0
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: 37F0E933240245AFEB098F64D885EEE7B68DF48398B20006AFB029A286CA71E551C754
                                                Function 04760063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 179 4760063-4760069 181 47600c3-47600c5 179->181 182 476006b-4760082 VirtualAlloc 179->182 184 47600c6-47600ca 181->184 182->181 183 4760084-47600b0 call 47600cd 182->183 187 47600b5-47600c1 VirtualFree 183->187 188 47600b2-47600b4 183->188 187->184 188->187
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0476007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 047600BE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: 66544c10a15b6997b60ac0db2afedd4abcff886cb76ee7643cd7d0b4fea5c378
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: 03018C76209682BEE7318AA19C00F37BBEDDF48616F144C5AFED6C2190DA26E4409F70
                                                Function 0476002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 189 476002a-476002e 191 4760034-4760043 call 4760047 189->191 192 47600c3-47600c5 189->192 196 4760045-476004c 191->196 197 47600aa-47600b0 191->197 193 47600c6-47600ca 192->193 198 4760056-4760061 196->198 199 4760051 call 4760063 196->199 200 47600b5-47600c1 VirtualFree 197->200 201 47600b2-47600b4 197->201 198->192 199->198 200->193 201->200
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 047600BE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453139698.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4760000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: a56744b936f6b1e5788195d502ab2c7de85055220334dbed433710e8ae3d4f04
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 44F09E3224A3816DF210F7347C48B27BB99DF07329B150D97DC42D2192DD21E8028AF4

                                                Non-executed Functions

                                                Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                • VariantInit.OLEAUT32(?), ref: 1000734D
                                                • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                • VariantInit.OLEAUT32(?), ref: 10007377
                                                  • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                • VariantInit.OLEAUT32(?), ref: 10007513
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant$ArrayCreateSafe
                                                • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Dv
                                                • API String ID: 2640012081-2802282100
                                                • Opcode ID: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                • Opcode Fuzzy Hash: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Dv$svchost.exe$svchost.exe -k NetworkService
                                                • API String ID: 1927566239-2472453162
                                                • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                • Sleep.KERNEL32 ref: 10007059
                                                • wsprintfA.USER32 ref: 1000709D
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000), ref: 100070D6
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000,?,00000000), ref: 100070E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FilePrintSleep$wsprintf
                                                • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                • API String ID: 1547040302-3813294871
                                                • Opcode ID: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                • Opcode Fuzzy Hash: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 1000574F
                                                • wsprintfA.USER32 ref: 100057B1
                                                • wsprintfA.USER32 ref: 100057C5
                                                • PrintFile.JYAKMJIPGI(?,?,00000000), ref: 100057E8
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$CreateFilePrintThread
                                                • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                • API String ID: 1788855648-1421401311
                                                • Opcode ID: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                • Opcode Fuzzy Hash: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 10005437
                                                • wsprintfA.USER32 ref: 1000549E
                                                • wsprintfA.USER32 ref: 100054BC
                                                • PrintFile.JYAKMJIPGI(?,?,10016594,?,00000000), ref: 100054DE
                                                • wsprintfA.USER32 ref: 10005582
                                                • Sleep.KERNEL32(000003E8,00000000,76938400,?,40000000,00000001,00000000,00000002,00000000,00000000,75C0C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                Strings
                                                • %s\%s, xrefs: 10005431
                                                • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$FilePrintSleep
                                                • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                • API String ID: 518940211-4228670124
                                                • Opcode ID: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                • Opcode Fuzzy Hash: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf
                                                • String ID: %s\%s$%s\version.txt$12010043$F896SD5DAE$M%s$host123.zz.am:6658
                                                • API String ID: 2111968516-3890874662
                                                • Opcode ID: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                • Opcode Fuzzy Hash: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                  • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                  • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,0007D000,00000000,00000000), ref: 100065C8
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,0007D000,00000000,00000000), ref: 100065E6
                                                • wsprintfA.USER32 ref: 100066E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                • API String ID: 4077377486-2496724313
                                                • Opcode ID: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                • Opcode Fuzzy Hash: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                  • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                  • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseFormatQueryTimeValue___crt
                                                • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                • API String ID: 271660946-3893357082
                                                • Opcode ID: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                • Opcode Fuzzy Hash: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                Function 10007F3E Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 230COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                • API String ID: 0-2039984758
                                                • Opcode ID: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                • Opcode Fuzzy Hash: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                • wsprintfA.USER32 ref: 100083E6
                                                Strings
                                                • 8.8.8.8, xrefs: 100083EF
                                                • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                • 127.0.0.1, xrefs: 100083F4
                                                • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleepwsprintf
                                                • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                • API String ID: 1749205058-626475063
                                                • Opcode ID: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                • Opcode Fuzzy Hash: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                  • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                • wsprintfA.USER32 ref: 10006D88
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                  • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                  • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                Strings
                                                • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                • %s "%s",DoAddToFavDlg, xrefs: 10006D82
                                                • dtfd, xrefs: 10006DA6
                                                • REG_SZ, xrefs: 10006D44
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                • String ID: %s "%s",DoAddToFavDlg$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                • API String ID: 1762869224-3711648159
                                                • Opcode ID: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                • Opcode Fuzzy Hash: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                • GetLastError.KERNEL32 ref: 10006AA8
                                                  • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                • String ID: 0x5d65r455f$5762479093
                                                • API String ID: 3244495550-2446933972
                                                • Opcode ID: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                • Opcode Fuzzy Hash: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00002710), ref: 1000857E
                                                • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                • API String ID: 3472027048-3516831565
                                                • Opcode ID: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                • Opcode Fuzzy Hash: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                Function 10005F15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 10005F21
                                                  • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,?), ref: 10004132
                                                  • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                  • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?), ref: 10004064
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                • String ID: %s\lang.ini
                                                • API String ID: 3793502078-1858510373
                                                • Opcode ID: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                • Opcode Fuzzy Hash: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$http://$search
                                                • API String ID: 1721638100-482061809
                                                • Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                • Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                Strings
                                                • svchsot.exe, xrefs: 10008524
                                                • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                • API String ID: 3472027048-2214221337
                                                • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf
                                                • String ID: %s\%s$.$\*.*
                                                • API String ID: 2111968516-2210278135
                                                • Opcode ID: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                • Instruction ID: 8eec4f815dbe1efa717b949f22b0b4cf07a5e7ea20f36989431d082c549aebfc
                                                • Opcode Fuzzy Hash: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                • Instruction Fuzzy Hash: D9315CB6C0425CBBEF12DFA4CC46EDE7B7DEB09380F0004A6F618A6051DB719B988B51
                                                Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: $p=Dv
                                                • API String ID: 1927566239-3905987846
                                                • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.4453383577.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 0000000B.00000002.4453356714.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453409873.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453440075.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453476863.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453560000.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 0000000B.00000002.4453594742.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$http://
                                                • API String ID: 1721638100-679094439
                                                • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

                                                Execution Graph

                                                Execution Coverage:11.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 377 46014c0 VirtualProtect 378 46014fb 377->378 379 46014ff VirtualProtect 377->379 378->379 380 4600cd0 384 4600d32 380->384 382 4600ce7 395 4600cf9 382->395 385 4600d3e 384->385 386 4600d57 VirtualAlloc 385->386 388 4600d86 386->388 387 4600e28 MessageBoxA ExitProcess 388->387 389 4600e42 388->389 390 4600dc7 388->390 391 4600e70 VirtualFree 389->391 392 4600dd7 wsprintfA 390->392 394 4600de7 390->394 391->382 392->394 394->387 396 4600d29 395->396 397 4600d57 VirtualAlloc 396->397 400 4600d86 397->400 398 4600e28 MessageBoxA ExitProcess 399 4600e42 402 4600e70 VirtualFree 399->402 400->398 400->399 401 4600dc7 400->401 403 4600e0c wsprintfA 401->403 404 4600de7 401->404 403->404 404->398 405 4600063 406 4600067 405->406 407 46000c3 406->407 408 460006b VirtualAlloc 406->408 408->407 409 4600084 408->409 410 46000b5 VirtualFree 409->410 410->407 411 4601525 LoadLibraryA 412 4601547 GetProcAddress 413 460002a 414 460002c 413->414 415 46000c3 414->415 421 4600047 414->421 418 4600056 VirtualFree 418->415 422 460004b 421->422 423 460003b 422->423 424 4600063 2 API calls 422->424 425 4600056 VirtualFree 422->425 423->418 427 4600063 423->427 424->425 425->423 428 4600067 427->428 429 46000c3 428->429 430 460006b VirtualAlloc 428->430 429->418 430->429 431 4600084 430->431 432 46000b5 VirtualFree 431->432 432->429 433 4600c8d 434 4600caf 433->434 435 4600d57 VirtualAlloc 434->435 437 4600d86 435->437 436 4600e28 MessageBoxA ExitProcess 437->436 438 4600e42 437->438 439 4600dc7 437->439 440 4600e70 VirtualFree 438->440 441 4600e0c wsprintfA 439->441 442 4600de7 439->442 441->442 442->436 443 4600e9f 444 4600ea9 LoadLibraryA 443->444 445 4600ec1 444->445 445->444 446 4600ec7 GetProcAddress 445->446 447 4600ee4 445->447 446->445

                                                Callgraph

                                                Executed Functions

                                                Function 04600C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04600D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04600E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04600E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04600E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 5b2584f21d54db1bfa9fde2589467e7b9fbd5254afb84e1c46a9ee741214bcd2
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 8751B0312057859FDB3A8F20CC40BDB3BB5AF06304B09819EDD869B2D6EB34B815CB65
                                                Function 04600CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04600D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04600E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04600E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04600E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04600E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: 6511c0cd0d8da6652ba898d423ce40b360cfaa7ff170b25c55b9f186a42f7719
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: BF418B322007469FEB38CF14CC84FEB73A5AF49355F04821DEE46A7684EB71B8118B94
                                                Function 04600D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04600D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04600E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04600E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04600E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04600E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: 4a3537e9e04b334764853922a03a273910a5cf8eb7ae82f43ae530fd07a8a538
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 8E31863220174A9FEB399F10CC84FEB77A5AF45355F00811DEE46A7685EB70B8108B54
                                                Function 046014C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 46014c0-46014f9 VirtualProtect 99 46014fb-46014fd 98->99 100 46014ff-4601517 VirtualProtect 98->100 99->100
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 046014EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0460150D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 385de29761e6aebdd9607cfa1fa0b8739c035c7728218298ba398193f46f4eb3
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: 03F0E933240245AFEB0D8F64D885EEE7768DF49398B20006AF7029A286CA71E555C754
                                                Function 04600063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 4600063-4600069 103 46000c3-46000c5 101->103 104 460006b-4600082 VirtualAlloc 101->104 105 46000c6-46000ca 103->105 104->103 106 4600084-46000b0 call 46000cd 104->106 109 46000b2-46000b4 106->109 110 46000b5-46000c1 VirtualFree 106->110 109->110 110->105
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0460007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 046000BE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: 1131fdda5a87b08b95b4ebe985504d19fe6928a3582a9352dd1ddca49d724508
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: E80181722096017EE7314BA1AC00F37BBDCDF58616F148C5AFAD6C1190E926E5419B70
                                                Function 0460002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 460002a-460002e 113 46000c3-46000c5 111->113 114 4600034-4600043 call 4600047 111->114 115 46000c6-46000ca 113->115 118 4600045-4600061 call 4600063 114->118 119 46000aa-46000b0 114->119 118->119 121 46000b2-46000b4 119->121 122 46000b5-46000c1 VirtualFree 119->122 121->122 122->115
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 046000BE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2269573507.0000000004600000.00000040.00001000.00020000.00000000.sdmp, Offset: 04600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_4600000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: 1f94c841cbe503d088ce17c3b4a9a1e4cf7dcbcd37ec39f0e59debbb24ddc4b1
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 88F0592224A30129F21867347C44B27BB98DB13229B154D9BDC42D20D1FD11E90286B4

                                                Execution Graph

                                                Execution Coverage:9.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 408 459002a 409 459002c 408->409 410 4590056 409->410 417 4590047 409->417 413 4590045 413->410 421 4590063 413->421 415 45900aa VirtualFree 415->410 418 459004b 417->418 419 459003b 418->419 420 4590063 2 API calls 418->420 419->413 419->415 420->419 422 4590067 421->422 423 459006b VirtualAlloc 422->423 424 45900c3 422->424 423->424 425 4590084 423->425 424->410 426 45900b5 VirtualFree 425->426 426->424 427 4590c8d 428 4590caf 427->428 429 4590d57 VirtualAlloc 428->429 431 4590d86 429->431 430 4590e28 MessageBoxA ExitProcess 431->430 432 4590e42 431->432 434 4590dc7 431->434 433 4590e70 VirtualFree 432->433 435 4590e0c wsprintfA 434->435 436 4590de7 434->436 435->436 436->430 437 4590e9f 438 4590ea9 LoadLibraryA 437->438 439 4590ec1 438->439 439->438 440 4590ec7 GetProcAddress 439->440 441 4590ee4 439->441 440->439 374 4590cd0 378 4590d32 374->378 376 4590ce7 389 4590cf9 376->389 379 4590d3e 378->379 380 4590d57 VirtualAlloc 379->380 382 4590d86 380->382 381 4590e28 MessageBoxA ExitProcess 382->381 383 4590e42 382->383 385 4590dc7 382->385 384 4590e70 VirtualFree 383->384 384->376 386 4590dd7 wsprintfA 385->386 388 4590de7 385->388 386->388 388->381 390 4590d29 389->390 391 4590d57 VirtualAlloc 390->391 393 4590d86 391->393 392 4590e28 MessageBoxA ExitProcess 393->392 394 4590e42 393->394 396 4590dc7 393->396 395 4590e70 VirtualFree 394->395 397 4590e0c wsprintfA 396->397 398 4590de7 396->398 397->398 398->392 399 45914c0 VirtualProtect 400 45914fb 399->400 401 45914ff VirtualProtect 399->401 400->401 402 4590063 403 4590067 402->403 404 459006b VirtualAlloc 403->404 405 45900c3 403->405 404->405 406 4590084 404->406 407 45900b5 VirtualFree 406->407 407->405 442 4591525 LoadLibraryA 443 4591547 GetProcAddress

                                                Callgraph

                                                Executed Functions

                                                Function 04590C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04590D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04590E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04590E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04590E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 3726c14c9f82762a42fb9034dbc85ea70f19e65976eb83f790e89c16a9c8779d
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 6851E1312057869FEB368F20CC40AEB3BF5AF46604F09459ADD869B296EB34BC15CB51
                                                Function 04590CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04590D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04590E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04590E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04590E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04590E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: 260f0aeb3e434059e649f8e56532b541545c8a2cf5e14310264ebfcc81bf0940
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: C7418A322007169BEB38CF14CC44EEB73E5BF48755F044618EE4AA7684EB70BD119B90
                                                Function 04590D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04590D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 04590E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04590E34
                                                • ExitProcess.KERNEL32(00000000), ref: 04590E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04590E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: 2d263d614c4447ea5daa2d932adadc55451a0994789aae87da147fc255a69e0d
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: ED31963220074A9FEB389F10CC80EEB77A9BF84755F004519EE4697685EB70B8109B50
                                                Function 045914C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 45914c0-45914f9 VirtualProtect 99 45914fb-45914fd 98->99 100 45914ff-4591517 VirtualProtect 98->100 99->100
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 045914EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0459150D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: 8c3db4bc12cb9c35fb267bab613025f920f24dd9b371cb5e26ac8005735e0dbd
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: E5F0E933240245AFEF098F64D885EEE7768DF48398B20006AF7029A286CA71E551C754
                                                Function 04590063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 4590063-4590069 103 459006b-4590082 VirtualAlloc 101->103 104 45900c3-45900c5 101->104 103->104 105 4590084-45900a4 103->105 106 45900c6-45900ca 104->106 107 45900aa-45900b0 105->107 108 45900a5 call 45900cd 105->108 109 45900b2-45900b4 107->109 110 45900b5-45900c1 VirtualFree 107->110 108->107 109->110 110->104 110->106
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0459007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 045900BE
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: c3a1e22844e773eff8491c02e8e1569ed354b0f1a37c123e00971bc5fa12a35e
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: 0001A4722096127EEB315AA1AC01F37BBDCEF48B26F144C5AFAD5C20D0D925F840AB70
                                                Function 0459002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 459002a-459002e 113 45900c3-45900c5 111->113 114 4590034-4590043 call 4590047 111->114 116 45900c6-45900ca 113->116 118 45900aa-45900b0 114->118 119 4590045-459004c 114->119 122 45900b2-45900b4 118->122 123 45900b5-45900c1 VirtualFree 118->123 120 4590056-4590061 119->120 121 4590051 call 4590063 119->121 120->113 121->120 122->123 123->113 123->116
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 045900BE
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.2249556762.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_4590000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: f2137705bf31302949705e575d6c30a67be8958779869bdafbfe56c6473ab56c
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: C2F0E92264A31179FA1077357C48A27BBD8FB42B29B550D97DC40D70D1ED11EC42A6A4

                                                Execution Graph

                                                Execution Coverage:1.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:31
                                                Total number of Limit Nodes:2
                                                execution_graph 17324 33c0cd0 17328 33c0d32 17324->17328 17326 33c0ce7 17339 33c0cf9 17326->17339 17329 33c0d3e 17328->17329 17330 33c0d57 VirtualAlloc 17329->17330 17332 33c0d86 17330->17332 17331 33c0e28 MessageBoxA ExitProcess 17332->17331 17333 33c0e42 17332->17333 17334 33c0dc7 17332->17334 17335 33c0e70 VirtualFree 17333->17335 17336 33c0dd7 wsprintfA 17334->17336 17338 33c0de7 17334->17338 17335->17326 17336->17338 17338->17331 17340 33c0d29 17339->17340 17341 33c0d57 VirtualAlloc 17340->17341 17343 33c0d86 17341->17343 17342 33c0e28 MessageBoxA ExitProcess 17343->17342 17344 33c0e42 17343->17344 17345 33c0dc7 17343->17345 17346 33c0e70 VirtualFree 17344->17346 17347 33c0e0c wsprintfA 17345->17347 17348 33c0de7 17345->17348 17347->17348 17348->17342 17349 33c14c0 VirtualProtect 17350 33c14ff VirtualProtect 17349->17350 17351 33c14fb 17349->17351 17351->17350 17352 33c0063 17353 33c0067 17352->17353 17354 33c006b VirtualAlloc 17353->17354 17355 33c00c3 17353->17355 17354->17355 17356 33c0084 17354->17356 17357 33c00b5 VirtualFree 17356->17357 17357->17355

                                                Executed Functions

                                                Function 033C0C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 033C0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 033C0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 033C0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 033C0E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 17f17ed827324179559e2099d663782abce3065d1de8e2d9b892cb3202a3c257
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 8E51EF31545BC58FDB3ACF20CC94AEA7BB4AF06200F09419EDD869B296EB34EC14CB51
                                                Function 033C0CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 033C0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 033C0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 033C0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 033C0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 033C0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: d8d88adf4c96ac0129696d42f03fb283b63dbb5f56908b03cae597eeec91fc9c
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: C7418C36640B869BDB38DF64CC84EEB73A5AF44351F04421CEE4697685EB70FC118B90
                                                Function 033C0D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 033C0D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 033C0E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 033C0E34
                                                • ExitProcess.KERNEL32(00000000), ref: 033C0E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 033C0E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: 5ca7d6bb9824a3ba97c655ad9ce98735aede9be9f7fce32e4fed07355a4d948c
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 0131A736640B8A9FDB39DF20CC84EEB77A9AF44351F04411DEE469B685EB70E820CB50
                                                Function 033C14C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 137 33c14c0-33c14f9 VirtualProtect 138 33c14ff-33c1517 VirtualProtect 137->138 139 33c14fb-33c14fd 137->139 139->138
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 033C14EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 033C150D
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: ad962323816ce99e9e000d43ffbb443b3fc4f72d35f26a3013fb3d58e0d601d7
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: 92F0E933240245AFEB098F64D885EFE7768DF48398B2000AAF7029A186CA71D551C754
                                                Function 033C0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 179 33c0063-33c0069 181 33c006b-33c0082 VirtualAlloc 179->181 182 33c00c3-33c00c5 179->182 181->182 184 33c0084-33c00a4 181->184 183 33c00c6-33c00ca 182->183 185 33c00aa-33c00b0 184->185 186 33c00a5 call 33c00cd 184->186 187 33c00b5-33c00c1 VirtualFree 185->187 188 33c00b2-33c00b4 185->188 186->185 187->183 188->187
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 033C007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 033C00BE
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: a467a57586543ebf97b93c0f46ffddb0f8095d07cccd1b60716df43e8aee570d
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: DC01A476219791BEE7318AA19C40F37BBDCDF48612F184C5EFAD5C5090D929E8408B71
                                                Function 033C002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 189 33c002a-33c002e 191 33c0034-33c0043 call 33c0047 189->191 192 33c00c3-33c00c5 189->192 196 33c00aa-33c00b0 191->196 197 33c0045-33c0061 call 33c0063 191->197 193 33c00c6-33c00ca 192->193 198 33c00b5-33c00c1 VirtualFree 196->198 199 33c00b2-33c00b4 196->199 197->196 198->193 199->198
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 033C00BE
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4612733167.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_33c0000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: 06ad9e12213a9431f97413bb179352bcc248864c94e6b8c783629028324a160a
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 65F0E92656E3E1A9F618E7347CC4A27BB98DB42222B16099FDC40D6091DD19DD0287A5

                                                Non-executed Functions

                                                Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                • VariantInit.OLEAUT32(?), ref: 1000734D
                                                • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                • VariantInit.OLEAUT32(?), ref: 10007377
                                                  • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                • VariantInit.OLEAUT32(?), ref: 10007513
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant$ArrayCreateSafe
                                                • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Dv
                                                • API String ID: 2640012081-2802282100
                                                • Opcode ID: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                • Opcode Fuzzy Hash: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Dv$svchost.exe$svchost.exe -k NetworkService
                                                • API String ID: 1927566239-2472453162
                                                • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                • Sleep.KERNEL32 ref: 10007059
                                                • wsprintfA.USER32 ref: 1000709D
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000), ref: 100070D6
                                                • PrintFile.JYAKMJIPGI(00000000,?,00000000,?,00000000), ref: 100070E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: FilePrintSleep$wsprintf
                                                • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                • API String ID: 1547040302-3813294871
                                                • Opcode ID: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                • Opcode Fuzzy Hash: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 1000574F
                                                • wsprintfA.USER32 ref: 100057B1
                                                • wsprintfA.USER32 ref: 100057C5
                                                • PrintFile.JYAKMJIPGI(?,?,00000000), ref: 100057E8
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$CreateFilePrintThread
                                                • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                • API String ID: 1788855648-1421401311
                                                • Opcode ID: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                • Opcode Fuzzy Hash: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 10005437
                                                • wsprintfA.USER32 ref: 1000549E
                                                • wsprintfA.USER32 ref: 100054BC
                                                • PrintFile.JYAKMJIPGI(?,?,10016594,?,00000000), ref: 100054DE
                                                • wsprintfA.USER32 ref: 10005582
                                                • Sleep.KERNEL32(000003E8,00000000,76938400,?,40000000,00000001,00000000,00000002,00000000,00000000,75C0C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                Strings
                                                • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                • %s\%s, xrefs: 10005431
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf$FilePrintSleep
                                                • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                • API String ID: 518940211-4228670124
                                                • Opcode ID: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                • Opcode Fuzzy Hash: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf
                                                • String ID: %s\%s$%s\version.txt$12010043$F896SD5DAE$M%s$host123.zz.am:6658
                                                • API String ID: 2111968516-3890874662
                                                • Opcode ID: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                • Opcode Fuzzy Hash: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                  • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                  • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,0007D000,00000000,00000000), ref: 100065C8
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,0007D000,00000000,00000000), ref: 100065E6
                                                • wsprintfA.USER32 ref: 100066E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                • API String ID: 4077377486-2496724313
                                                • Opcode ID: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                • Opcode Fuzzy Hash: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                  • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                  • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseFormatQueryTimeValue___crt
                                                • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                • API String ID: 271660946-3893357082
                                                • Opcode ID: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                • Opcode Fuzzy Hash: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                Function 10007F3E Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 230COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                • API String ID: 0-2039984758
                                                • Opcode ID: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                • Opcode Fuzzy Hash: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                • wsprintfA.USER32 ref: 100083E6
                                                Strings
                                                • 127.0.0.1, xrefs: 100083F4
                                                • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                • 8.8.8.8, xrefs: 100083EF
                                                • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleepwsprintf
                                                • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                • API String ID: 1749205058-626475063
                                                • Opcode ID: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                • Opcode Fuzzy Hash: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                  • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                • wsprintfA.USER32 ref: 10006D88
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                  • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                  • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                Strings
                                                • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                • REG_SZ, xrefs: 10006D44
                                                • dtfd, xrefs: 10006DA6
                                                • %s "%s",DoAddToFavDlg, xrefs: 10006D82
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                • String ID: %s "%s",DoAddToFavDlg$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                • API String ID: 1762869224-3711648159
                                                • Opcode ID: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                • Opcode Fuzzy Hash: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                • GetLastError.KERNEL32 ref: 10006AA8
                                                  • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                  • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                • String ID: 0x5d65r455f$5762479093
                                                • API String ID: 3244495550-2446933972
                                                • Opcode ID: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                • Opcode Fuzzy Hash: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00002710), ref: 1000857E
                                                • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                • API String ID: 3472027048-3516831565
                                                • Opcode ID: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                • Opcode Fuzzy Hash: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                Function 10005F15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 10005F21
                                                  • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,?), ref: 10004132
                                                  • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                  • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?), ref: 10004064
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                • String ID: %s\lang.ini
                                                • API String ID: 3793502078-1858510373
                                                • Opcode ID: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                • Opcode Fuzzy Hash: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$http://$search
                                                • API String ID: 1721638100-482061809
                                                • Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                • Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                Strings
                                                • svchsot.exe, xrefs: 10008524
                                                • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                • API String ID: 3472027048-2214221337
                                                • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: wsprintf
                                                • String ID: %s\%s$.$\*.*
                                                • API String ID: 2111968516-2210278135
                                                • Opcode ID: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                • Instruction ID: 8eec4f815dbe1efa717b949f22b0b4cf07a5e7ea20f36989431d082c549aebfc
                                                • Opcode Fuzzy Hash: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                • Instruction Fuzzy Hash: D9315CB6C0425CBBEF12DFA4CC46EDE7B7DEB09380F0004A6F618A6051DB719B988B51
                                                Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: InitVariant
                                                • String ID: $p=Dv
                                                • API String ID: 1927566239-3905987846
                                                • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.4613082679.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000012.00000002.4613055765.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613104940.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613134605.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613156933.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613201030.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000012.00000002.4613236240.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd
                                                Similarity
                                                • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                • String ID: %s\lang.ini$http://
                                                • API String ID: 1721638100-679094439
                                                • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:63
                                                Total number of Limit Nodes:3
                                                execution_graph 408 3061547 GetProcAddress 409 3061525 LoadLibraryA 374 3060063 375 3060067 374->375 376 30600c3 375->376 377 306006b VirtualAlloc 375->377 377->376 379 3060084 377->379 378 30600b5 VirtualFree 378->376 379->378 380 30614c0 VirtualProtect 381 30614ff VirtualProtect 380->381 382 30614fb 380->382 382->381 383 3060cd0 387 3060d32 383->387 385 3060ce7 398 3060cf9 385->398 388 3060d3e 387->388 389 3060d57 VirtualAlloc 388->389 392 3060d86 389->392 390 3060e28 MessageBoxA ExitProcess 391 3060e42 393 3060e70 VirtualFree 391->393 392->390 392->391 394 3060dc7 392->394 393->385 395 3060dd7 wsprintfA 394->395 397 3060de7 394->397 395->397 397->390 399 3060d29 398->399 400 3060d57 VirtualAlloc 399->400 403 3060d86 400->403 401 3060e28 MessageBoxA ExitProcess 402 3060e42 404 3060e70 VirtualFree 402->404 403->401 403->402 405 3060dc7 403->405 406 3060e0c wsprintfA 405->406 407 3060de7 405->407 406->407 407->401 410 3060e9f 411 3060ea9 LoadLibraryA 410->411 412 3060ec1 411->412 412->411 413 3060ec7 GetProcAddress 412->413 414 3060ee4 412->414 413->412 415 3060c8d 416 3060caf 415->416 417 3060d57 VirtualAlloc 416->417 420 3060d86 417->420 418 3060e28 MessageBoxA ExitProcess 419 3060e42 421 3060e70 VirtualFree 419->421 420->418 420->419 422 3060dc7 420->422 423 3060e0c wsprintfA 422->423 424 3060de7 422->424 423->424 424->418 425 306002a 426 306002c 425->426 427 3060056 426->427 434 3060047 426->434 430 3060045 430->427 438 3060063 430->438 433 30600aa VirtualFree 433->427 435 306004b 434->435 436 306003b 435->436 437 3060063 2 API calls 435->437 436->430 436->433 437->436 439 3060067 438->439 440 30600c3 439->440 441 306006b VirtualAlloc 439->441 440->427 441->440 443 3060084 441->443 442 30600b5 VirtualFree 442->440 443->442

                                                Callgraph

                                                Executed Functions

                                                Function 03060C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: AllocExitMessageProcessVirtualwsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 1926473177-4283279704
                                                • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction ID: 16c203f210c199eec5e5c9761231a2c142e48a2dedc1432673bc71f2bf052f88
                                                • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                • Instruction Fuzzy Hash: 1251163114A7859FDB3ACF20CC40BDB7BB9AF46300F09419EDD469B29AEB34A814CB51
                                                Function 03060CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03060E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction ID: c056d92dc2c50a53340e63c12937258293b06f0db908cd31dce0f1f5f733f562
                                                • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                • Instruction Fuzzy Hash: 1E419D362417169FEB38CF14CC44FEB73A5AF44351F044618ED469B689EB70B911CB90
                                                Function 03060D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03060E85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                • API String ID: 3261521767-4283279704
                                                • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction ID: edcce62883e29a07068e50361eb99db082087d0211dd0322ef30be9d8e22b546
                                                • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                • Instruction Fuzzy Hash: 1931A9362867469FDB38DF10CC80FEB77A9AF84351F04411DED469B689EB70A810CB50
                                                Function 030614C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 30614c0-30614f9 VirtualProtect 99 30614ff-3061517 VirtualProtect 98->99 100 30614fb-30614fd 98->100 100->99
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 030614EF
                                                • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0306150D
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction ID: ec6bc77671bef2c5afc818fa0ad32a5b2d9c608e0d4405a18c85efd481e7501b
                                                • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                • Instruction Fuzzy Hash: 8DF0E933240245AFEB0D8F64D885EEE7768DF48398B20006AF7029A58ACA71D551C754
                                                Function 03060063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 3060063-3060069 103 30600c3-30600c5 101->103 104 306006b-3060082 VirtualAlloc 101->104 105 30600c6-30600ca 103->105 104->103 106 3060084-30600b0 call 30600cd 104->106 109 30600b5-30600c1 VirtualFree 106->109 110 30600b2-30600b4 106->110 109->103 109->105 110->109
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0306007E
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030600BE
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction ID: db82dc17b7b1d6a4d624b630e3cf66c1aafaf0859c2e8ef635d780305f46e239
                                                • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                • Instruction Fuzzy Hash: C401817624AA017EF7718AA19C00F37BBDCDF48612F184C5AFAD5C5090DA26E4408B70
                                                Function 0306002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 111 306002a-306002e 113 3060034-3060043 call 3060047 111->113 114 30600c3-30600c5 111->114 118 3060045-306004c 113->118 119 30600aa-30600b0 113->119 115 30600c6-30600ca 114->115 120 3060056-3060061 118->120 121 3060051 call 3060063 118->121 122 30600b5-30600c1 VirtualFree 119->122 123 30600b2-30600b4 119->123 120->114 121->120 122->114 122->115 123->122
                                                APIs
                                                • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030600BE
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2550631624.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_3060000_rundll32.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction ID: ad643e6b4d9600eaa03acacfd0df492284276328b7da61fb7f972ab6bf2d4168
                                                • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                • Instruction Fuzzy Hash: 2EF0E92669FB1169F610E7347C44A67BBD8DB46221F150E97DC40D6095DD21D80286A4