Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
08e2VwqyI0.dll

Overview

General Information

Sample name:08e2VwqyI0.dll
renamed because original name is a hash value
Original sample name:dba9c2268b1ee590b4b3b456642c6c7aa6993b9d.dll
Analysis ID:1558497
MD5:129a4a5be1e9cff7a54ebf6b80793986
SHA1:dba9c2268b1ee590b4b3b456642c6c7aa6993b9d
SHA256:a80d66f921a6f59756560ae3c3afd26fdd43e26f30ecabdd729c80301a8d08ce
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
PE file has a writeable .text section
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1996 cmdline: loaddll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5540 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3580 cmdline: rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1160 cmdline: rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 6720 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 344 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 1308 cmdline: rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1976 cmdline: rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5280 cmdline: rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 2100 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 4648 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 3404 cmdline: rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4032 cmdline: rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 3396 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 5736 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4580 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 2300 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 1160 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2848 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 3580, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtfd

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 08e2VwqyI0.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 08e2VwqyI0.dllReversingLabs: Detection: 97%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: 08e2VwqyI0.dllJoe Sandbox ML: detected
Source: 08e2VwqyI0.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: \??\c:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*^nq source: rundll32.exe, 00000004.00000003.2009300275.000000000348A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2011769719.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*M source: rundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,4_2_10007F3E
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.160.131.253 ports 1,5,6,8,9,18659
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.8:49707 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.8:49706 -> 107.160.131.253:18659
Source: global trafficTCP traffic: 192.168.2.8:49740 -> 107.160.131.254:23588
Source: Joe Sandbox ViewIP Address: 202.108.0.52 202.108.0.52
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: global trafficTCP traffic: 192.168.2.8:49772 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.253
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003F41 InternetReadFile,4_2_10003F41
Source: global trafficDNS traffic detected: DNS query: host123.zz.am
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.253/
Source: rundll32.exe, rundll32.exe, 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.253:18659/
Source: rundll32.exe, 00000004.00000002.3874761658.0000000003418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndm
Source: rundll32.exe, rundll32.exe, 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php$
Source: rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php(s
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php-
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.php.
Source: rundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpA
Source: rundll32.exe, 00000004.00000002.3891213656.000000000618A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3891092502.0000000005F6D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpC:
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpI
Source: rundll32.exe, 00000004.00000003.1930719433.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpNetHood
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpV
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpn
Source: rundll32.exe, 00000004.00000002.3874761658.0000000003418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpnv
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpplication
Source: rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phptings
Source: rundll32.exe, 00000004.00000002.3874761658.000000000341D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.254:23588/article.phpttings
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.htmlP
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.htmlS
Source: rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s1
Source: rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s6
Source: rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%sc
Source: rundll32.exe, 00000004.00000002.3891297476.00000000063AD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2883816734.000000000348A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093/w
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093M
Source: rundll32.exe, 00000004.00000003.2883816734.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ktop
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z.
Source: rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093~
Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.rsac.org/ratingsv01.html

System Summary

barindex
PE file has a writeable .text section
Source: 08e2VwqyI0.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10008AAD: DeviceIoControl,4_2_10008AAD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003F63 ExitWindowsEx,4_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10003F63 ExitWindowsEx,11_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10003F63 ExitWindowsEx,19_2_10003F63
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_024500CD0_2_024500CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_026B00CD3_2_026B00CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B2244_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B70D4_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100121ED4_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000AEC04_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033900CD4_2_033900CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_047100CD10_2_047100CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B22411_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B70D11_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100121ED11_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000AEC011_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_030600CD17_2_030600CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_049C00CD18_2_049C00CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000B22419_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000B70D19_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_100121ED19_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000AEC019_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_049400CD19_2_049400CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_02D900CD26_2_02D900CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 909 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10009125 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000CD90 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 672
Source: 08e2VwqyI0.dllBinary or memory string: OriginalFilenamejscript.dllL vs 08e2VwqyI0.dll
Source: 08e2VwqyI0.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 08e2VwqyI0.dllStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 08e2VwqyI0.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@42/10@58/5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000404F AdjustTokenPrivileges,4_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000404F AdjustTokenPrivileges,11_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000404F AdjustTokenPrivileges,19_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003FB7 CreateToolhelp32Snapshot,4_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12010043Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\host123.zz.am:6658
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4032
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Mhost123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1976
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\46dfa831-5c81-415f-9cd2-319463f8abbbJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,DoAddToFavDlg
Source: 08e2VwqyI0.dllReversingLabs: Detection: 97%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,DoAddToFavDlg
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 672
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 668
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: \??\c:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*^nq source: rundll32.exe, 00000004.00000003.2009300275.000000000348A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2011769719.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*M source: rundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02450E9F LoadLibraryA,GetProcAddress,0_2_02450E9F
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: 08e2VwqyI0.dllStatic PE information: real checksum: 0x31f33 should be: 0x2ef6e
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003900A push dword ptr [esp+4Ch]; retn 0050h4_2_1003901C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027023 push dword ptr [esp+18h]; retn 001Ch4_2_1002A254
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F024 push dword ptr [esp+14h]; retn 0018h4_2_1002F036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10029029 push dword ptr [esp+38h]; retn 003Ch4_2_10027C71
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10029029 pushad ; mov dword ptr [esp], 73E57D1Ah4_2_10029046
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003B02D push dword ptr [esp+50h]; retn 0054h4_2_1003B061
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F039 push esp; mov dword ptr [esp], B1CF2C6Dh4_2_1002F051
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F039 push dword ptr [esp+50h]; retn 0054h4_2_1002F068
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10035048 push dword ptr [esp+50h]; retn 0054h4_2_100351D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10033059 push dword ptr [esp+50h]; retn 0054h4_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10033064 push dword ptr [esp+50h]; retn 0054h4_2_1003307F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002D06D push dword ptr [esp+38h]; retn 003Ch4_2_1002D08D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10031079 push dword ptr [esp+30h]; retn 0034h4_2_10031095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027080 push ebp; mov dword ptr [esp], edx4_2_1002FD0B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027080 push dword ptr [esp+04h]; retn 0008h4_2_1002FD4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023085 push dword ptr [esp+38h]; retn 003Ch4_2_10023093
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023096 push dword ptr [esp+50h]; retn 0054h4_2_100230B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100330A5 push dword ptr [esp+2Ch]; retn 0030h4_2_1002B78C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100330A5 push dword ptr [esp+04h]; retn 0008h4_2_1003B2DF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100230B6 push dword ptr [esp+34h]; retn 0038h4_2_1002F874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100270BA push dword ptr [esp+34h]; retn 0038h4_2_1002AD33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250BC push dword ptr [esp+44h]; retn 0048h4_2_1003408E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F0D4 push dword ptr [esp+0Ch]; retn 0014h4_2_1002F0EF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h4_2_100282E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100270D4 push dword ptr [esp+0Ch]; retn 0010h4_2_100338DA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100350D9 push dword ptr [esp+50h]; retn 0054h4_2_10035102
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100250D9 push dword ptr [esp+14h]; retn 0018h4_2_100250F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002B0E4 push dword ptr [esp+48h]; retn 004Ch4_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002D0EF push dword ptr [esp+10h]; retn 0014h4_2_1002D116
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002B0EF push dword ptr [esp+48h]; retn 004Ch4_2_1002B0FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10039107 push dword ptr [esp+4Ch]; retn 0050h4_2_10039116
Source: 08e2VwqyI0.dllStatic PE information: section name: .text entropy: 7.997797944306588

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dtfdJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-17729
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001E1FE rdtsc 4_2_1001E1FE
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 5278Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.6 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1612Thread sleep count: 42 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1036Thread sleep count: 277 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1036Thread sleep time: -498600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3532Thread sleep count: 56 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3532Thread sleep time: -560000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3508Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4424Thread sleep time: -1620000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3344Thread sleep time: -4200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3832Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3360Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5668Thread sleep time: -2100000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6840Thread sleep time: -7200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1036Thread sleep count: 5278 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1036Thread sleep time: -9500400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3508Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,FindClose,4_2_10007F3E
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: VMware
Source: rundll32.exe, 00000004.00000002.3874395414.0000000002ECB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000004.00000002.3874761658.000000000341D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: vmci.sys
Source: rundll32.exe, 00000004.00000003.1714557553.0000000002F47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: VMware20,1
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Applications\\VMwareHostOpen.exe
Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-384
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-395
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-404
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-393
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-17642
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-17631
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_10-395
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_10-384
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_17-401
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_17-390
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_18-392
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_18-381
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_19-17332
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_19-17321
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_26-392
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_26-381
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001E1FE rdtsc 4_2_1001E1FE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000CCF2 LdrInitializeThunk,11_2_1000CCF2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02450E9F LoadLibraryA,GetProcAddress,0_2_02450E9F

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.253 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.254 23588Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory111
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
Process Injection		2
Software Packing		Security Account Manager31
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Rundll32		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558497 Sample: 08e2VwqyI0.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 59 host123.zz.am 2->59 61 blogx.sina.com.cn 2->61 63 blog.sina.com.cn 2->63 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Machine Learning detection for sample 2->75 77 3 other signatures 2->77 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 cmd.exe 1 9->15         started        18 rundll32.exe 9->18         started        20 rundll32.exe 9->20         started        26 5 other processes 9->26 22 cmd.exe 11->22         started        24 cmd.exe 13->24         started        signatures6 87 Uses ping.exe to sleep 15->87 89 Uses ping.exe to check the status of other devices and networks 15->89 28 rundll32.exe 1 14 15->28         started        91 Found evasive API chain (may stop execution after checking mutex) 18->91 93 Queries disk data (e.g. SMART data) 18->93 32 cmd.exe 1 18->32         started        34 cmd.exe 20->34         started        36 conhost.exe 22->36         started        38 PING.EXE 22->38         started        40 conhost.exe 24->40         started        42 PING.EXE 24->42         started        44 WerFault.exe 20 16 26->44         started        46 WerFault.exe 26->46         started        process7 dnsIp8 65 107.163.56.110, 18530 TAKE2US United States 28->65 67 107.160.131.253, 18659 AS40676US United States 28->67 69 2 other IPs or domains 28->69 79 System process connects to network (likely due to code injection or exploit) 28->79 81 Creates an autostart registry key pointing to binary in C:\Windows 28->81 83 Queries disk data (e.g. SMART data) 28->83 85 Uses ping.exe to sleep 32->85 48 PING.EXE 1 32->48         started        51 conhost.exe 32->51         started        53 conhost.exe 34->53         started        55 PING.EXE 34->55         started        signatures9 process10 dnsIp11 57 127.0.0.1 unknown unknown 48->57

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
08e2VwqyI0.dll97%ReversingLabsWin32.Backdoor.Zegost
08e2VwqyI0.dll100%AviraTR/ATRAPS.Gen
08e2VwqyI0.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.160.131.254:23588/article.php0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpttings0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phptings0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpplication0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpI0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpn0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php.0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpC:0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpA0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.htmlS0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php-0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.htmlP0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpNetHood0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php$0%Avira URL Cloudsafe
http://www.rsac.org/ratingsv01.html0%Avira URL Cloudsafe
http://107.160.131.253/0%Avira URL Cloudsafe
http://107.160.131.253:18659/0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpV0%Avira URL Cloudsafe
http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndm0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.php(s0%Avira URL Cloudsafe
http://107.160.131.254:23588/article.phpnv0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    host123.zz.am
    		unknown
    		unknownfalse
      		high
      blog.sina.com.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://107.160.131.254:23588/article.phprundll32.exe, rundll32.exe, 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://blog.sina.com.cn/u/%s6rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://107.160.131.254:23588/article.phpIrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpttingsrundll32.exe, 00000004.00000002.3874761658.000000000341D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpplicationrundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpC:rundll32.exe, 00000004.00000002.3891213656.000000000618A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3891092502.0000000005F6D000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phptingsrundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.163.56.110:18530/u1129.htmlrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://107.160.131.254:23588/article.phpArundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://upx.sf.netAmcache.hve.14.drfalse
            		high
            http://blog.sina.com.cn/u/%srundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000004.00000002.3891297476.00000000063AD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2883816734.000000000348A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://107.160.131.254:23588/article.php.rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.160.131.254:23588/article.phpnrundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.110:18530/u1129.htmlPrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.110:18530/u1129.htmlSrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://blog.sina.com.cn/u/5762479093Mrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://107.160.131.254:23588/article.php-rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.160.131.254:23588/article.phpNetHoodrundll32.exe, 00000004.00000003.1930719433.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://blog.sina.com.cn/u/%scrundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.rsac.org/ratingsv01.htmlrundll32.exe, rundll32.exe, 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.160.131.253:18659/rundll32.exe, rundll32.exe, 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.160.131.254:23588/article.php$rundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blog.sina.com.cn/u/5762479093~rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://blog.sina.com.cn/u/5762479093/wrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://blog.sina.com.cn/u/5762479093zrundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://107.160.131.253:18659//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mtiWmtaWndmrundll32.exe, 00000004.00000002.3874761658.0000000003418000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://blog.sina.com.cn/u/5762479093ktoprundll32.exe, 00000004.00000003.2883816734.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://blog.sina.com.cn/u/5762479093z.rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://107.160.131.254:23588/article.phpVrundll32.exe, 00000004.00000003.1930955275.0000000003479000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3728220117.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2884108357.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3727847838.0000000003471000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://107.160.131.253/rundll32.exe, 00000004.00000002.3874761658.00000000033AA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://107.160.131.254:23588/article.php(srundll32.exe, 00000004.00000002.3874761658.0000000003471000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://107.160.131.254:23588/article.phpnvrundll32.exe, 00000004.00000002.3874761658.0000000003418000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.sina.com.cn/u/%s1rundll32.exe, 00000004.00000002.3879276594.0000000004E67000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                202.108.0.52
                                		blogx.sina.com.cnChina
                                		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                107.163.56.110
                                		unknownUnited States
                                		20248TAKE2UStrue
                                107.160.131.253
                                		unknownUnited States
                                		40676AS40676UStrue
                                107.160.131.254
                                		unknownUnited States
                                		40676AS40676UStrue

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1558497
                                Start date and time:2024-11-19 14:23:42 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 4s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:37
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:08e2VwqyI0.dll
                                renamed because original name is a hash value
                                Original Sample Name:dba9c2268b1ee590b4b3b456642c6c7aa6993b9d.dll
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winDLL@42/10@58/5
                                EGA Information:
                                • Successful, ratio: 88.9%
                                HCA Information:
                                • Successful, ratio: 95%
                                • Number of executed functions: 77
                                • Number of non-executed functions: 56
                                Cookbook Comments:
                                • Found application associated with file extension: .dll
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.168.117.172, 20.42.73.29
                                • Excluded domains from analysis (whitelisted): onedsblobprdeus07.eastus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                                • Execution Graph export aborted for target rundll32.exe, PID 1976 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: 08e2VwqyI0.dll

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:24:38API Interceptor1004897x Sleep call for process: rundll32.exe modified
                                08:24:45API Interceptor1x Sleep call for process: loaddll32.exe modified
                                08:27:24API Interceptor2x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                • blog.sina.com.cn/u/5655029807
                                k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                • blog.sina.com.cn/u/5655029807
                                5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                                • blog.sina.com.cn/u/5655029807
                                107.163.56.110PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                  jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                    b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                      MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                        81mieek02V.dllGet hashmaliciousUnknownBrowse
                                          Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                            02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                              abc.dllGet hashmaliciousUnknownBrowse
                                                107.160.131.253jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                  81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                      107.160.131.254jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                        81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                          Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            blogx.sina.com.cnPqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AS40676USPqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.252
                                                            jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                                            • 41.216.183.30
                                                            Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                            • 45.61.137.33
                                                            QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                            • 45.61.137.33
                                                            AS40676USPqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.252
                                                            jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                            • 107.160.131.254
                                                            Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                                            • 41.216.183.30
                                                            Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                            • 45.61.137.33
                                                            QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                                            • 45.61.137.33
                                                            Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                            • 45.61.137.33
                                                            CHINA169-BJChinaUnicomBeijingProvinceNetworkCNPqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                            • 202.108.0.52
                                                            TAKE2USPqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.56.110
                                                            jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.56.110
                                                            b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.56.110
                                                            NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.241.193
                                                            33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.241.193
                                                            MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.56.110
                                                            JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.43.161
                                                            yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.56.240
                                                            46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.43.236
                                                            01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                                            • 107.163.43.235

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\1.txt

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):721
                                                            Entropy (8bit):4.519220738257457
                                                            Encrypted:false
                                                            SSDEEP:12:8GGdzrn7oce9UcdY7xjIaGwwwwwwwwwwwwwwwwwwwwP:8G4n7o39U0YVje
                                                            MD5:1A2142B706CA0E422BE413C718EF7308
                                                            SHA1:655BF7399BB4BD75695AC5D5BEAB6963DC6ECAF3
                                                            SHA-256:A7A39269A451A173BA8509B63AAFF9D2419FDDB7DF981FAB27DA0F2855CEAC84
                                                            SHA-512:C895FA7C8857079EDD5A75CC8810DF08DBB091408E48E96AAFC48E84CD955F71401B9F54B3D2FAF29C862DA3E82F07E450DECF42A19E379D8CAA23C0631EA16A
                                                            Malicious:false
                                                            Preview:..2024-11-21 13:12..iOffset....2024-11-23 04:03..iOffset....2024-11-24 21:14..iOffset....2024-11-26 15:36..iOffset....2024-11-27 13:24..iOffset....2024-11-28 15:53..iOffset....2024-12-01 06:33..iOffset....2024-12-04 22:39..iOffset....2024-12-07 10:34..iOffset....2024-12-14 07:26..iOffset....2024-12-18 15:24..iOffset....2024-12-23 15:15..iOffset....2029-07-11 02:48..iOffset....2036-11-26 10:30..iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset........iOffset..

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_43694ddf-2812-4925-b8af-347e7aeab431\Report.wer

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):0.950696993679653
                                                            Encrypted:false
                                                            SSDEEP:192:yQJijOE30BU/wjeT7WaZYzuiFUZ24IO8dci:TJiqEEBU/wjevbYzuiFUY4IO8dci
                                                            MD5:26E7BC64706BE716A2352C1183C34F48
                                                            SHA1:BF2D620B1F7A9314E30A51E2A31BE65EB00A9B0D
                                                            SHA-256:D6774B23692B023AB2F404283C8DDBED6322484A9C3B9836EFB2891CDD4EA4E2
                                                            SHA-512:468A4EA4796C06D6E6DA750E683D6D49520929DCCC06D181780414F1BE1D29DF921A88005F86EBE2BFFDA01AEF0603A983A9719DC289052D7364B8194FCCA867
                                                            Malicious:false
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.2.8.6.0.8.6.1.5.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.2.8.6.8.5.1.7.7.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.6.9.4.d.d.f.-.2.8.1.2.-.4.9.2.5.-.b.8.a.f.-.3.4.7.e.7.a.e.a.b.4.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.7.f.a.f.3.a.-.8.c.0.7.-.4.7.1.a.-.b.7.1.7.-.a.9.c.e.5.5.d.c.1.a.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.c.0.-.0.0.0.1.-.0.0.1.4.-.b.7.e.3.-.6.3.6.6.8.6.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_a5abc924-2452-4abb-81bb-5fc932c8c5b9\Report.wer

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):0.95056249331519
                                                            Encrypted:false
                                                            SSDEEP:192:KHA3iZOB30BU/wjeTbWaZYzuiFUZ24IO8dci:CA3iwBEBU/wjePbYzuiFUY4IO8dci
                                                            MD5:A10B880963DCCE0D113EE9CF80E61AAD
                                                            SHA1:9864B6C9C4F9292F397CD34F1D96B5F0E093689F
                                                            SHA-256:E7D150DEA7847B95978F5597CEBAEC5543847F0D9D67B8E165CD3431D913A49E
                                                            SHA-512:5ABFA95DB8D874D178A4E9A58DFFFB0C06E43A08B332832A6233B815F8A13AD2D11A96A65FD1464E4F83F4019710EDA73F6E351FBFFAB691173F3C0E15EBE444
                                                            Malicious:false
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.2.8.3.0.0.9.3.8.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.2.8.3.9.1.5.6.3.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.a.b.c.9.2.4.-.2.4.5.2.-.4.a.b.b.-.8.1.b.b.-.5.f.c.9.3.2.c.8.c.5.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.1.e.a.e.f.3.-.2.7.5.f.-.4.e.c.8.-.8.f.d.7.-.7.9.9.8.d.e.6.b.6.2.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.b.8.-.0.0.0.1.-.0.0.1.4.-.d.f.d.d.-.8.d.6.4.8.6.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA782.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:24:43 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):45268
                                                            Entropy (8bit):2.02092739146417
                                                            Encrypted:false
                                                            SSDEEP:192:DW/EkZHVXpXvUO5H4ysmv1qd/Ar/4+BTdh1Ky:i/bZHf5HTs4cd/Az4+Bo
                                                            MD5:424149B97758D42A94955AD99241655B
                                                            SHA1:CAD007CA26DCB111296BFDAA7351297C1A0C8C8E
                                                            SHA-256:16D4F48C5A0F75C90D3921FD6B3724C6601FFE4C81633EF2B69847439C300F97
                                                            SHA-512:55725C8B040781F45A368DB5F2CEE916A1B03F347924CCA940E95C0F4FBB19303DBF6F64C9D45E3F2B591433AD33716A3B3212C43ACD1BD92DFF28941CD38CAF
                                                            Malicious:false
                                                            Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA85E.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8272
                                                            Entropy (8bit):3.6952229836293027
                                                            Encrypted:false
                                                            SSDEEP:192:R6l7wVeJcC626YdE6RgmfTZaYprw89btnsf0GPm:R6lXJB626YO6RgmfTZaQtsfC
                                                            MD5:879A11CAF691ECDDB382FE396C073BF7
                                                            SHA1:1541960D059A3A92F99858715F56015346649080
                                                            SHA-256:BE18C4E2335D1E5932298AD2E132965AB7F581C97EC0FD0D8055DC83358533C0
                                                            SHA-512:87C5E0901CA84F11F9C40CE1E6780C765DA7DC2979F21E25FB5EB822509EB10A488B48133AAC8BDB0BA122C13EC65AA715EDB7C7B81CB9D358F423FD39798044
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.7.6.<./.P.i.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA88E.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4654
                                                            Entropy (8bit):4.461892195265477
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsyJg77aI9QzWpW8VYoFoYm8M4JCdPSFW+q8/AxGScSpd:uIjfAI76C7VhFFJupJ3pd
                                                            MD5:308064529445FB5EBE61928086FE9A07
                                                            SHA1:0AFF5318E6D0934F184B81272C653814EB450A32
                                                            SHA-256:22A2AE01AAA0DE08893C3AA84CEF06351CDA97A89C5A28E280C1C4AE31DFAC39
                                                            SHA-512:D8494E209F011E9384B1578A18E843F82236B120795C398C9E43C6C5FA04420BCCC1834D2A50E2B5884C339E6E298B830D19EBFFD21FEF5FEA11209FC65EBC71
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594987" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB389.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:24:46 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):45966
                                                            Entropy (8bit):1.9951415072130652
                                                            Encrypted:false
                                                            SSDEEP:192:WYLWZHVXpX1cO5H4iheT/YI5a9O/3mihgYZYE:XqZH15HDheT/YDZiT
                                                            MD5:CA3FEAEDFD8EF261BC1D2BEC7A3F9476
                                                            SHA1:962088D07A9513B038E500888F7E54BC5C28A5EA
                                                            SHA-256:5EB74BEDB95BAA11A7A1AD48C65F4A1889C150B4B072541EE0902711A974C53F
                                                            SHA-512:67670C28AF5FC898C7B061FC8B942A3ADB75ED79A23E54B345284F5CD215F1CC1FC2F4574DF11925720015BB62BB754A0CD585AC53299452F4AB9033DC6EBCF6
                                                            Malicious:false
                                                            Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB55E.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8270
                                                            Entropy (8bit):3.6906602209919854
                                                            Encrypted:false
                                                            SSDEEP:192:R6l7wVeJYjR6r76YVQV6SgmfTZaYprO89bAJsfCRAm:R6lXJSR6r76YWV6SgmfTZaaAifCD
                                                            MD5:BEF443A886833269E99CE65CC29364E7
                                                            SHA1:A9E7C89485E18782FC937EAEC858553E39EB22EB
                                                            SHA-256:173FEF31ED2AFBEDB79F1CE2BEADB1732000F4EDFFFC63A22F0064C42D8D2154
                                                            SHA-512:EA2A68CBD84D1F62040A3D7135400CC1C4D24B0514EA4BA86CDAC3A7FE29D4296EEACF54B3D374FF3F657B6059D75711058E1C62BC6349F3498E2BAF7CA2AA06
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.3.2.<./.P.i.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB58E.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4654
                                                            Entropy (8bit):4.459899340293469
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsyJg77aI9QzWpW8VYbYm8M4JCdPSFWI+q8/ARnGScSxd:uIjfAI76C7V7JeIZnJ3xd
                                                            MD5:A193261BAA3A3DB7A69582B510883A45
                                                            SHA1:EE5095ECB5AF904AB215277C1A45536899159DF1
                                                            SHA-256:8AD42BD44F393249AAC6E7B8CC71A0C688AB251FC4C0C1A9C0104D8E1ED27A9C
                                                            SHA-512:E844381F719155373A8A0DE24E356B740D4AD56627764F04DD3E29FBC56FC6A39355BEE681ED853944708058C7C7A26882218D2B5A348D073E6EBA127743D6ED
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594987" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):1835008
                                                            Entropy (8bit):4.37287043948001
                                                            Encrypted:false
                                                            SSDEEP:6144:OFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:eV1QyWWI/glMM6kF7Kq
                                                            MD5:D1B051EC99383A0FFE404B622C2A78EF
                                                            SHA1:909FA24353C4C9E66F6EAE63EDFF9625B33F37DB
                                                            SHA-256:864B62E91ABE3D173BDCDE74F889C67D1527158F8EB6443A575FF626BE410A19
                                                            SHA-512:E9A2EB95378586915BCD4D830D1DA3C541332F403CB74B0EC220ED65587876D860982BC0E014115E28914E1393D108F03CBDEE85F947A59DFEAEE08893A3F96D
                                                            Malicious:false
                                                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...d.:...............................................................................................................................................................................................................................................................................................................................................w.P........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                            Entropy (8bit):7.960894639958724
                                                            TrID:
                                                            • Win32 Dynamic Link Library (generic) (1002004/3) 90.54%
                                                            • Win32 EXE PECompact compressed (v2.x) (59071/9) 5.34%
                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 3.76%
                                                            • Generic Win/DOS Executable (2004/3) 0.18%
                                                            • DOS Executable Generic (2002/1) 0.18%
                                                            File name:08e2VwqyI0.dll
                                                            File size:175'321 bytes
                                                            MD5:129a4a5be1e9cff7a54ebf6b80793986
                                                            SHA1:dba9c2268b1ee590b4b3b456642c6c7aa6993b9d
                                                            SHA256:a80d66f921a6f59756560ae3c3afd26fdd43e26f30ecabdd729c80301a8d08ce
                                                            SHA512:2d71d88ff8c8854bacbd6689abd54e739c482b5605295bd9ffea1b06078b4e9f1f6f1072bb03b9cf255cd50a8f28da9bd762c3c3ca950d7165932e89940611fd
                                                            SSDEEP:3072:R2Iz9CI8mUOtDDPwLkBLXLDFkKmvzXBpLHYmmO1QezRd7UcPa1xMjM7A:Rjz9X8mXGUXVPmr9mOzRd7UcPKoMk
                                                            TLSH:100412B0F3F98B59F0A716770831597CC97638816329277FC2889A6EAC5442FF18D764
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                                            File Icon

                                                            Icon Hash:7ae282899bbab082

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x1004fe9b
                                                            Entrypoint Section:.rsrc
                                                            Digitally signed:false
                                                            Imagebase:0x10000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                            DLL Characteristics:
                                                            Time Stamp:0x565C7C9C [Mon Nov 30 16:43:08 2015 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:bb6e4ad1ce3cf53a77a13b1c6fafb901

                                                            Entrypoint Preview

                                                            Instruction
                                                            mov eax, 10050CB4h
                                                            push eax
                                                            push dword ptr fs:[00000000h]
                                                            mov dword ptr fs:[00000000h], esp
                                                            xor eax, eax
                                                            mov dword ptr [eax], ecx
                                                            push eax
                                                            inc ebp
                                                            inc ebx
                                                            outsd
                                                            insd
                                                            jo 00007F7A3CF38A23h
                                                            arpl word ptr [edx+esi+00h], si
                                                            add byte ptr [eax], al
                                                            or byte ptr [eax+eax], cl
                                                            dec eax
                                                            loope 00007F7A3CF389C3h
                                                            push esi
                                                            push edi
                                                            push ebx
                                                            push ebp
                                                            mov ebx, dword ptr [esp+1Ch]
                                                            test ebx, ebx
                                                            je 00007F79FADBAB71h
                                                            push cs
                                                            out 60h, al
                                                            or eax, 72656B0Bh
                                                            outsb
                                                            insb
                                                            xor esi, dword ptr [edx]
                                                            adc al, 44h
                                                            push es
                                                            mov eax, C08513FFh
                                                            cmp byte ptr [edi+0CE8F08Bh], cl
                                                            xor eax, dword ptr [esi+6900ECE3h]
                                                            jc 00007F7A3CF38A36h
                                                            jne 00007F7A3CF38A23h
                                                            insb
                                                            inc esi
                                                            sbb bh, bh
                                                            push ebx
                                                            add al, 3Eh
                                                            mov dword ptr [8BFFC4D0h], eax
                                                            call 00007F79E034A537h
                                                            xor eax, dword ptr [edi+636F6E15h]
                                                            sbb al, 58h
                                                            mov esp, dword ptr [esp+edx]
                                                            jl 00007F7A3CF38951h
                                                            sar ecx, FFFFFFA1h
                                                            sbb byte ptr [edx+68h], ch
                                                            adc byte ptr [eax-01h], cl
                                                            pushad
                                                            clc
                                                            cmp dword ptr [ecx], 3F33D008h
                                                            mov ebx, eax
                                                            push eax
                                                            push esp
                                                            jbe 00007F7A3CF389C6h
                                                            push edi
                                                            or byte ptr [eax], cl
                                                            lea eax, dword ptr [esi+0Fh]
                                                            inc edx
                                                            aad C9h
                                                            stc
                                                            mov dh, 0Ch
                                                            add eax, FF0C300Dh
                                                            adc dword ptr [esi], ecx
                                                            push eax
                                                            push ebx
                                                            call 00007F7A017732E8h
                                                            sub byte ptr [edx+58h], bl
                                                            je 00007F7A3CF389C5h
                                                            int3
                                                            adc dword ptr [edx], esi
                                                            jne 00007F7A3CF389F5h
                                                            dec eax
                                                            push eax
                                                            add byte ptr [eax+53h], FFFFFFD5h
                                                            pop eax
                                                            push eax
                                                            add byte ptr [edx], cl
                                                            push eax

                                                            Rich Headers

                                                            Programming Language:
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ C ] VS98 (6.0) build 8168
                                                            • [C++] VS98 (6.0) build 8168
                                                            • [RES] VS98 (6.0) cvtres build 1720
                                                            • [LNK] VS98 (6.0) imp/exp build 8168

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x4fb240x68.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4fc140x2eb.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000xb10.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x510000x18.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x4e0000x28800616e4770cbaa1701277e430d81cefbf7False0.9978238329475309data7.997797944306588IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x4f0000x20000x1e004178e173c28267cb5211773428c4940eFalse0.6875data6.368056297656816IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .reloc0x510000x10000x200aa11e7584102ed6962d8c933636a8badFalse0.0625data0.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_STRING0x4b0000x16cemptyEnglishUnited States0
                                                            RT_STRING0x4b1700x86emptyEnglishUnited States0
                                                            RT_STRING0x4b1f80x56emptyEnglishUnited States0
                                                            RT_STRING0x4b2500x16eemptyEnglishUnited States0
                                                            RT_STRING0x4b3c00x128emptyEnglishUnited States0
                                                            RT_STRING0x4b4e80xd2emptyEnglishUnited States0
                                                            RT_STRING0x4b5c00x6aemptyEnglishUnited States0
                                                            RT_STRING0x4b6300xc8emptyEnglishUnited States0
                                                            RT_STRING0x4b6f80x200emptyEnglishUnited States0
                                                            RT_STRING0x4b8f80x23eemptyEnglishUnited States0
                                                            RT_STRING0x4bb380x12eemptyEnglishUnited States0
                                                            RT_STRING0x4bc680xcaemptyEnglishUnited States0
                                                            RT_STRING0x4bd380x252emptyEnglishUnited States0
                                                            RT_STRING0x4bf900x28eemptyEnglishUnited States0
                                                            RT_STRING0x4c2200xceemptyEnglishUnited States0
                                                            RT_STRING0x4c2f00x15cemptyEnglishUnited States0
                                                            RT_STRING0x4c4500x398emptyEnglishUnited States0
                                                            RT_STRING0x4c7e80x2aeemptyEnglishUnited States0
                                                            RT_STRING0x4ca980x42emptyEnglishUnited States0
                                                            RT_STRING0x4cae00x20emptyEnglishUnited States0
                                                            RT_STRING0x4cb000x20emptyEnglishUnited States0
                                                            RT_STRING0x4cb200x20emptyEnglishUnited States0
                                                            RT_STRING0x4cb400x20emptyEnglishUnited States0
                                                            RT_STRING0x4cb600x20emptyEnglishUnited States0
                                                            RT_STRING0x4cb800x20emptyEnglishUnited States0
                                                            RT_STRING0x4cba00x20emptyEnglishUnited States0
                                                            RT_STRING0x4cbc00x20emptyEnglishUnited States0
                                                            RT_STRING0x4cbe00x7aemptyEnglishUnited States0
                                                            RT_STRING0x4cc600x20emptyEnglishUnited States0
                                                            RT_STRING0x4cc800x20emptyEnglishUnited States0
                                                            RT_STRING0x4cca00x13aemptyEnglishUnited States0
                                                            RT_STRING0x4cde00x19aemptyEnglishUnited States0
                                                            RT_STRING0x4cf800x9aemptyEnglishUnited States0
                                                            RT_STRING0x4d0200xa8emptyEnglishUnited States0
                                                            RT_STRING0x4d0c80x20emptyEnglishUnited States0
                                                            RT_VERSION0x4f7f00x31cdataEnglishUnited States0.4296482412060301
                                                            RT_HTML0x4d0e80x49emptyEnglishUnited States0
                                                            RT_HTML0x4d1380xdemptyEnglishUnited States0
                                                            RT_HTML0x4d1480x6beemptyEnglishUnited States0

                                                            Imports

                                                            DLLImport
                                                            kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
                                                            MFC42.DLL
                                                            MSVCRT.dll_strcmpi
                                                            USER32.dllGetDesktopWindow
                                                            ADVAPI32.dllRegDeleteValueA
                                                            WS2_32.dllhtons
                                                            SHLWAPI.dllPathIsDirectoryA
                                                            ole32.dllCoUninitialize
                                                            OLEAUT32.dllSafeArrayGetVartype
                                                            MSVCP60.dll?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
                                                            NETAPI32.dllNetbios

                                                            Exports

                                                            NameOrdinalAddress
                                                            DoAddToFavDlg10x10008645
                                                            InputFile20x1000678b
                                                            PrintFile30x1000443d

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 19, 2024 14:24:40.615721941 CET4970718530192.168.2.8107.163.56.110
                                                            Nov 19, 2024 14:24:40.615811110 CET4970618659192.168.2.8107.160.131.253
                                                            Nov 19, 2024 14:24:41.625773907 CET4970718530192.168.2.8107.163.56.110
                                                            Nov 19, 2024 14:24:41.625785112 CET4970618659192.168.2.8107.160.131.253
                                                            Nov 19, 2024 14:24:43.641510963 CET4970718530192.168.2.8107.163.56.110
                                                            Nov 19, 2024 14:24:43.641535044 CET4970618659192.168.2.8107.160.131.253
                                                            Nov 19, 2024 14:24:47.641448975 CET4970718530192.168.2.8107.163.56.110
                                                            Nov 19, 2024 14:24:47.641721010 CET4970618659192.168.2.8107.160.131.253
                                                            Nov 19, 2024 14:24:55.657119989 CET4970618659192.168.2.8107.160.131.253
                                                            Nov 19, 2024 14:24:55.657161951 CET4970718530192.168.2.8107.163.56.110
                                                            Nov 19, 2024 14:25:05.726532936 CET4974023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:05.726566076 CET4974123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:06.735306978 CET4974023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:06.735321999 CET4974123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:08.735232115 CET4974123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:08.735275030 CET4974023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:08.853775024 CET4977280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:09.743359089 CET4978123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:09.848402977 CET4978323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:09.848583937 CET4978480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:10.750876904 CET4978123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:10.860253096 CET4978480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:10.860351086 CET4978323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:12.750935078 CET4978123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:12.860301018 CET4978323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:12.860312939 CET4978480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:13.790194035 CET4981323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:13.897733927 CET4981423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:13.898276091 CET4981580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:14.797770023 CET4981323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:14.907170057 CET4981423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:14.909013033 CET4981580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:16.798535109 CET4981323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:16.907171965 CET4981423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:16.909497976 CET4981580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:17.800687075 CET4985023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:17.913883924 CET4985223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:17.914828062 CET4985380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:18.813447952 CET4985023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:18.925156116 CET4985380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:18.925334930 CET4985223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:20.813430071 CET4985023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:20.938417912 CET4985380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:20.939026117 CET4985223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:21.814012051 CET4988223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:21.928117037 CET4988423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:21.928790092 CET4988580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:22.829083920 CET4988223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:22.922780037 CET4988423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:22.922832012 CET4988580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:24.891526937 CET4988223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:24.938426018 CET4988580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:24.938426018 CET4988423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:25.830224037 CET4991723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:25.943288088 CET4991923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:25.943824053 CET4992080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:26.844660044 CET4991723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:26.954107046 CET4992080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:26.985322952 CET4991923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:28.860316038 CET4991723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:28.955022097 CET4992080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:29.094696045 CET4991923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:29.872823000 CET4995323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:29.998346090 CET4995523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:30.377155066 CET4995980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:30.891599894 CET4995323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:31.000979900 CET4995523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:31.391597986 CET4995980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:32.985482931 CET4995323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:33.001010895 CET4995523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:33.391635895 CET4995980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:33.861284971 CET4999023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:33.975883007 CET4999223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:33.977057934 CET4999380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:34.876353979 CET4999023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:34.985382080 CET4999223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:34.985404015 CET4999380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:36.875955105 CET4999023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:36.985368013 CET4999223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:36.985446930 CET4999380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:37.876288891 CET5002123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:38.455117941 CET5002323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:38.456125021 CET5002480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:38.891649961 CET5002123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:39.469863892 CET5002323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:39.469891071 CET5002480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:40.891657114 CET5002123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:41.485347986 CET5002480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:41.485465050 CET5002323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:41.892653942 CET5005623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:42.007720947 CET5005823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:42.008347988 CET5005980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:42.891611099 CET5005623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:43.016781092 CET5005823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:43.016849995 CET5005980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:44.907248974 CET5005623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:45.032244921 CET5005823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:45.035104990 CET5005980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:45.907807112 CET5009823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:46.019923925 CET5010023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:46.020697117 CET5010180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:46.922863007 CET5009823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:47.032294035 CET5010023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:47.035080910 CET5010180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:48.938508987 CET5009823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:49.032263041 CET5010023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:49.035095930 CET5010180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:49.925606012 CET5014423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:50.035718918 CET5014623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:50.036628008 CET5014780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:50.938514948 CET5014423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:51.047877073 CET5014623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:51.049134970 CET5014780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:52.954145908 CET5014423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:53.047916889 CET5014623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:53.048105001 CET5014780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:53.939373016 CET5019223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:54.053328037 CET5019423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:54.054531097 CET5019580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:54.938524961 CET5019223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:55.047931910 CET5019423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:55.051212072 CET5019580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:56.938529015 CET5019223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:57.047936916 CET5019423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:57.051140070 CET5019580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:57.970362902 CET5025123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:58.084568977 CET5025323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:58.085148096 CET5025480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:25:58.985445023 CET5025123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:59.094801903 CET5025323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:25:59.094911098 CET5025480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:00.985413074 CET5025123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:01.094901085 CET5025323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:01.110502005 CET5025480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:01.970464945 CET5031623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:02.122955084 CET5032023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:02.123651981 CET5032180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:02.985455036 CET5031623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:03.110642910 CET5032023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:03.110646009 CET5032180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:04.985410929 CET5031623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:05.126163960 CET5032023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:05.129594088 CET5032180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:05.987163067 CET5039323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:06.099972963 CET5039623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:06.100513935 CET5039780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:07.001123905 CET5039323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:07.110411882 CET5039623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:07.110421896 CET5039780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:09.001092911 CET5039323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:09.110553026 CET5039623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:09.110641956 CET5039780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:10.002002001 CET5045223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:10.117201090 CET5045623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:10.117883921 CET5045780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:11.016805887 CET5045223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:11.110445023 CET5045623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:11.110455036 CET5045780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:13.016756058 CET5045223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:13.110630035 CET5045623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:13.110630989 CET5045780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:14.002032042 CET5055523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:14.116729975 CET5055923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:14.117393970 CET5056080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:15.016726017 CET5055523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:15.126080036 CET5055923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:15.126080036 CET5056080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:17.016719103 CET5055523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:17.126133919 CET5056080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:17.126200914 CET5055923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:18.022039890 CET5065023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:18.134448051 CET5065480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:18.134533882 CET5065523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:19.032381058 CET5065023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:19.141714096 CET5065523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:19.141721964 CET5065480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:21.032349110 CET5065023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:21.157393932 CET5065523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:21.159169912 CET5065480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:22.034920931 CET5082023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:22.153125048 CET5082823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:22.153687000 CET5082980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:23.032393932 CET5082023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:23.188607931 CET5082980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:23.189886093 CET5082823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:25.032401085 CET5082023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:25.188607931 CET5082980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:25.188616037 CET5082823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:26.051171064 CET5103523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:26.237404108 CET5104323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:26.239666939 CET5104480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:27.079231977 CET5103523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:27.251101971 CET5104323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:27.391735077 CET5104480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:29.079251051 CET5103523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:29.266752005 CET5104323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:29.399588108 CET5104480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:30.168665886 CET5126723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:30.169061899 CET5126823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:30.647553921 CET5129880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:31.282362938 CET5126723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:31.282757998 CET5126823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:31.782365084 CET5129880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:33.289228916 CET5144823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:33.305258036 CET5145023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:33.309498072 CET5145180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:34.342844009 CET5144823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:34.391746998 CET5145180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:34.391820908 CET5145023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:36.391760111 CET5145180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:36.391772985 CET5145023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:36.487304926 CET5144823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:37.331753969 CET5226423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:37.458865881 CET5235323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:37.459856033 CET5235480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:38.376151085 CET5226423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:38.485522985 CET5235323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:38.579678059 CET5235480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:40.485533953 CET5226423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:40.485573053 CET5235323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:40.579309940 CET5235480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:41.354407072 CET5447523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:41.479357004 CET5452523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:41.481875896 CET5452680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:42.376142979 CET5447523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:42.486022949 CET5452680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:42.579286098 CET5452523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:44.376147985 CET5447523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:44.487242937 CET5452680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:44.579406023 CET5452523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:45.480082989 CET5708323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:45.481848955 CET5708580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:45.482141972 CET5708623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:46.485570908 CET5708623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:46.579299927 CET5708323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:46.579668999 CET5708580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:48.490139961 CET5708623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:48.579298973 CET5708323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:48.579298973 CET5708580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:49.487488985 CET5973323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:49.606384993 CET5982723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:49.609586954 CET5982880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:50.594918966 CET5973323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:50.594973087 CET5982880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:50.688668013 CET5982723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:52.688692093 CET5973323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:52.688698053 CET5982880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:52.688775063 CET5982723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:53.502202988 CET6259223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:53.633871078 CET6264423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:53.636389971 CET6264680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:54.688687086 CET6259223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:54.688776016 CET6264680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:54.688776970 CET6264423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:56.688708067 CET6259223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:56.688782930 CET6264680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:56.688781023 CET6264423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:57.503460884 CET6493923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:57.619721889 CET6500023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:57.620663881 CET6500180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:26:58.579349995 CET6493923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:58.688714027 CET6500023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:26:58.688723087 CET6500180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:00.688707113 CET6493923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:00.688729048 CET6500023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:00.688729048 CET6500180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:01.518512964 CET5128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:01.633598089 CET5138523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:01.637638092 CET5138780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:02.579363108 CET5128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:02.688705921 CET5138523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:02.688709021 CET5138780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:04.579341888 CET5128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:04.688705921 CET5138523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:04.688724995 CET5138780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:05.519896030 CET5328223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:05.639990091 CET5334223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:05.693483114 CET5338580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:06.579467058 CET5328223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:06.688720942 CET5334223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:06.876663923 CET5338580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:08.579668999 CET5328223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:08.691274881 CET5334223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:08.876363039 CET5338580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:09.534600973 CET5627323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:09.662786961 CET5633123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:09.665492058 CET5633380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:10.579500914 CET5627323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:10.688755035 CET5633380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:10.688762903 CET5633123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:12.688757896 CET5627323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:12.688761950 CET5633380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:12.688766003 CET5633123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:13.550123930 CET5904623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:13.665581942 CET5909123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:13.667083979 CET5909280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:14.579478025 CET5904623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:14.688765049 CET5909123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:14.689791918 CET5909280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:16.579472065 CET5904623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:16.688816071 CET5909280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:16.782510996 CET5909123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:17.571221113 CET6146823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:17.684721947 CET6153880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:17.685092926 CET6153923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:18.581572056 CET6146823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:18.688780069 CET6153880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:18.688780069 CET6153923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:20.579550028 CET6146823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:20.688770056 CET6153880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:20.688805103 CET6153923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:21.584034920 CET6431423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:21.697453022 CET6434023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:21.699865103 CET6434180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:22.579834938 CET6431423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:22.688770056 CET6434180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:22.891901016 CET6434023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:24.688782930 CET6431423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:24.688782930 CET6434180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:24.891907930 CET6434023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:25.708920002 CET5071523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:25.711210966 CET5071623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:25.730297089 CET5071980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:26.876280069 CET5071980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:26.891935110 CET5071523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:26.891957045 CET5071623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:28.876291990 CET5071980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:28.891906023 CET5071523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:28.893352032 CET5071623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:29.706254959 CET5317423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:29.823767900 CET5324123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:29.828819036 CET5324380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:30.876286983 CET5324123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:30.876584053 CET5324380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:30.894825935 CET5317423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:32.876311064 CET5324380192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:32.876310110 CET5324123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:33.079502106 CET5317423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:33.722116947 CET5570123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:33.842988968 CET5574923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:33.853442907 CET5575680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:34.876313925 CET5574923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:34.891946077 CET5570123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:34.891988039 CET5575680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:36.876482010 CET5574923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:36.891963005 CET5575680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:36.892138958 CET5570123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:37.737807989 CET5819923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:37.853638887 CET5825523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:37.855684042 CET5825680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:38.876311064 CET5825523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:38.891944885 CET5819923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:38.892086983 CET5825680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:40.879108906 CET5825523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:40.891974926 CET5819923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:40.891977072 CET5825680192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:41.742420912 CET6115423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:41.854506969 CET6119323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:41.857969046 CET6119480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:42.876327038 CET6119323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:42.891963959 CET6115423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:42.895358086 CET6119480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:44.876343012 CET6119323588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:44.891971111 CET6115423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:44.891973972 CET6119480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:45.753154993 CET6360423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:45.869000912 CET6365023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:45.871989965 CET6365180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:46.782814026 CET6360423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:46.876339912 CET6365023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:46.876442909 CET6365180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:48.787369013 CET6360423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:48.876368999 CET6365023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:48.879753113 CET6365180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:49.768950939 CET4975923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:49.885262012 CET4981023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:49.887161016 CET4981180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:50.892050982 CET4975923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:50.985714912 CET4981023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:50.985944033 CET4981180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:52.891973019 CET4975923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:52.985709906 CET4981023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:52.985723019 CET4981180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:53.785599947 CET5202523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:53.979168892 CET5205823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:53.983279943 CET5206080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:54.891977072 CET5202523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:54.985748053 CET5205823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:54.985837936 CET5206080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:56.892059088 CET5202523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:56.985723972 CET5205823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:56.988734961 CET5206080192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:57.809887886 CET5418623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:57.935857058 CET5419623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:57.943892002 CET5419880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:27:58.893523932 CET5418623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:58.985755920 CET5419623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:27:58.985759020 CET5419880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:00.895406961 CET5418623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:00.985743999 CET5419623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:00.986145020 CET5419880192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:01.818099022 CET5677623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:01.932241917 CET5682023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:01.935075998 CET5682180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:02.883416891 CET5677623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:03.079662085 CET5682180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:03.079663992 CET5682023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:04.876396894 CET5677623588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:05.079550028 CET5682023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:05.079616070 CET5682180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:05.836056948 CET5903223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:05.959243059 CET5907780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:05.964421034 CET5907823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:06.892033100 CET5903223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:06.987431049 CET5907823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:07.083461046 CET5907780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:08.892007113 CET5903223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:08.985789061 CET5907823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:09.188894033 CET5907780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:09.841046095 CET6128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:09.961762905 CET6138823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:10.892193079 CET6128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:10.985776901 CET6138823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:12.892016888 CET6128023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:12.985788107 CET6138823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:13.847321987 CET5935023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:13.973267078 CET5942923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:14.892014027 CET5935023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:15.095474958 CET5942923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:16.892029047 CET5935023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:17.095176935 CET5942923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:17.871402025 CET6197523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:18.380880117 CET6197823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:18.892025948 CET6197523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:19.392050982 CET6197823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:20.574270010 CET6306180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:20.892103910 CET6197523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:21.392050028 CET6197823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:21.579560995 CET6306180192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:21.875798941 CET6369723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:21.994311094 CET6376823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:21.994909048 CET6376980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:22.907994032 CET6369723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:23.079560041 CET6376823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:23.080167055 CET6376980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:25.019185066 CET6369723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:25.079544067 CET6376823588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:25.079560995 CET6376980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:25.878392935 CET4916023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:26.017760992 CET4925423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:26.019459009 CET4925580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:26.892057896 CET4916023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:27.138370037 CET4925423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:27.138442039 CET4925580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:28.892065048 CET4916023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:29.149811983 CET4925423588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:29.149903059 CET4925580192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:29.924071074 CET5184023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:30.040077925 CET5187780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:30.041276932 CET5187923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:31.079632998 CET5187780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:31.079633951 CET5184023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:31.079709053 CET5187923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:33.079588890 CET5187780192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:33.079597950 CET5187923588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:33.113887072 CET5184023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:33.943373919 CET5455223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:34.056288958 CET5467980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:34.056289911 CET5468023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:34.985831976 CET5455223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:35.079586983 CET5467980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:35.079612017 CET5468023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:36.985846043 CET5455223588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:37.079605103 CET5467980192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:37.079618931 CET5468023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:37.956382036 CET5718723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:38.084666967 CET5724023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:38.084669113 CET5724280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:38.985863924 CET5718723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:39.087794065 CET5724023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:39.087802887 CET5724280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:40.985831976 CET5718723588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:41.152759075 CET5724023588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:41.152913094 CET5724280192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:42.045383930 CET5889123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:42.324048996 CET5889480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:42.324541092 CET5889523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:43.079623938 CET5889123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:43.392088890 CET5889480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:43.392098904 CET5889523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:45.079659939 CET5889123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:45.392220020 CET5889480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:45.392225027 CET5889523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:49.079623938 CET5889123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:49.392111063 CET5889480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:49.392184973 CET5889523588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:57.079668045 CET5889123588192.168.2.8107.160.131.254
                                                            Nov 19, 2024 14:28:57.392128944 CET5889480192.168.2.8202.108.0.52
                                                            Nov 19, 2024 14:28:57.393249989 CET5889523588192.168.2.8107.160.131.254

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 19, 2024 14:25:02.682295084 CET6156153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:02.689649105 CET53615611.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:07.439935923 CET5702253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:07.448739052 CET53570221.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:08.844156981 CET5940253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:08.851649046 CET53594021.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:12.424705982 CET6027553192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:12.927687883 CET53602751.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:17.460808039 CET5299153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:17.468424082 CET53529911.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:22.455702066 CET6071153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:22.463224888 CET53607111.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:27.518908024 CET5125253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:27.526247025 CET53512521.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:30.001863956 CET5323953192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:30.322807074 CET53532391.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:32.443738937 CET6477053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:32.451770067 CET53647701.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:37.533169031 CET5958253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:38.046952963 CET53595821.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:42.439436913 CET6435753192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:42.447223902 CET53643571.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:47.486337900 CET6348653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:47.493582964 CET53634861.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:52.471498013 CET5659153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:52.479806900 CET53565911.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:25:57.455539942 CET4993253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:25:57.462965012 CET53499321.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:02.468851089 CET5446153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:02.476084948 CET53544611.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:07.424005985 CET5168453192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:07.967272997 CET53516841.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:12.528201103 CET5615853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:12.535715103 CET53561581.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:17.432022095 CET5325353192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:17.439743996 CET53532531.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:22.426475048 CET6355753192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:22.433978081 CET53635571.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:27.425965071 CET5411753192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:27.434043884 CET53541171.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:30.168071985 CET5183553192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:30.646616936 CET53518351.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:32.432154894 CET6301353192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:32.439722061 CET53630131.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:37.426999092 CET6308153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:37.434618950 CET53630811.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:42.427570105 CET6505653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:42.437283993 CET53650561.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:47.424005032 CET6210253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:47.431242943 CET53621021.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:52.437810898 CET5438653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:52.446202993 CET53543861.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:26:57.423410892 CET5830653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:26:57.430773020 CET53583061.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:02.435044050 CET5707153192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:02.442382097 CET53570711.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:07.423933983 CET6015653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:07.431350946 CET53601561.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:12.424355984 CET6261553192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:12.431884050 CET53626151.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:17.480093956 CET6224753192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:17.487660885 CET53622471.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:22.423556089 CET6358553192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:22.431140900 CET53635851.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:27.425457954 CET5752453192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:27.433211088 CET53575241.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:32.425044060 CET5184453192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:32.432256937 CET53518441.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:33.844614029 CET4971053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:33.852269888 CET53497101.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:37.429163933 CET5247053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:37.436516047 CET53524701.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:42.424137115 CET6374953192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:42.973465919 CET53637491.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:47.427387953 CET5317753192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:47.436167955 CET53531771.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:52.425645113 CET5812453192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:52.540406942 CET53581241.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:27:57.424582958 CET5852553192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:27:57.431771994 CET53585251.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:02.423815012 CET6308653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:02.432440042 CET53630861.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:07.451950073 CET6396853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:07.459525108 CET53639681.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:09.964345932 CET6280053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:09.986568928 CET6280053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:09.993688107 CET53628001.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:10.437556982 CET53628001.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:12.424608946 CET6407253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:12.431502104 CET53640721.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:17.423834085 CET6318853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:17.454699039 CET6318853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:17.935024977 CET53631881.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:17.935071945 CET53631881.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:20.149029970 CET5880053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:20.174072981 CET5880053192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:20.565541983 CET53588001.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:20.565623999 CET53588001.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:22.424654007 CET5916253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:22.454890966 CET5916253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:23.611974955 CET5916253192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:23.952347040 CET53591621.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:23.952363968 CET53591621.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:23.952373028 CET53591621.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:27.423804998 CET5689353192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:27.431349993 CET53568931.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:32.424931049 CET5811353192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:32.432806969 CET53581131.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:37.425646067 CET5000653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:37.455241919 CET5000653192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:37.947464943 CET53500061.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:37.947490931 CET53500061.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:42.516774893 CET6515853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:42.551462889 CET6515853192.168.2.81.1.1.1
                                                            Nov 19, 2024 14:28:43.032388926 CET53651581.1.1.1192.168.2.8
                                                            Nov 19, 2024 14:28:43.032435894 CET53651581.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 19, 2024 14:25:02.682295084 CET192.168.2.81.1.1.10x931fStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:07.439935923 CET192.168.2.81.1.1.10x6294Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:08.844156981 CET192.168.2.81.1.1.10xda9fStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:12.424705982 CET192.168.2.81.1.1.10xd3bdStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:17.460808039 CET192.168.2.81.1.1.10xaa20Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:22.455702066 CET192.168.2.81.1.1.10xe791Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:27.518908024 CET192.168.2.81.1.1.10x546dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:30.001863956 CET192.168.2.81.1.1.10xa115Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:32.443738937 CET192.168.2.81.1.1.10x5527Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:37.533169031 CET192.168.2.81.1.1.10xfc96Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:42.439436913 CET192.168.2.81.1.1.10xc200Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:47.486337900 CET192.168.2.81.1.1.10xa38cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:52.471498013 CET192.168.2.81.1.1.10x444fStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:57.455539942 CET192.168.2.81.1.1.10xa039Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:02.468851089 CET192.168.2.81.1.1.10x5e9eStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:07.424005985 CET192.168.2.81.1.1.10x4c6Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:12.528201103 CET192.168.2.81.1.1.10x1675Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:17.432022095 CET192.168.2.81.1.1.10xfa92Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:22.426475048 CET192.168.2.81.1.1.10xd09cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:27.425965071 CET192.168.2.81.1.1.10xbf37Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:30.168071985 CET192.168.2.81.1.1.10x4b6Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:32.432154894 CET192.168.2.81.1.1.10x7bb8Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:37.426999092 CET192.168.2.81.1.1.10x1449Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:42.427570105 CET192.168.2.81.1.1.10x1db2Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:47.424005032 CET192.168.2.81.1.1.10x563aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:52.437810898 CET192.168.2.81.1.1.10x6ffdStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:57.423410892 CET192.168.2.81.1.1.10x8e10Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:02.435044050 CET192.168.2.81.1.1.10x374fStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:07.423933983 CET192.168.2.81.1.1.10xd437Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:12.424355984 CET192.168.2.81.1.1.10xa916Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:17.480093956 CET192.168.2.81.1.1.10x11faStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:22.423556089 CET192.168.2.81.1.1.10x2fbeStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:27.425457954 CET192.168.2.81.1.1.10xda4aStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:32.425044060 CET192.168.2.81.1.1.10x3f00Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:33.844614029 CET192.168.2.81.1.1.10xca17Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:37.429163933 CET192.168.2.81.1.1.10xd739Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:42.424137115 CET192.168.2.81.1.1.10xe3c1Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:47.427387953 CET192.168.2.81.1.1.10x9e02Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:52.425645113 CET192.168.2.81.1.1.10x7a18Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:57.424582958 CET192.168.2.81.1.1.10x9d95Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:02.423815012 CET192.168.2.81.1.1.10x4638Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:07.451950073 CET192.168.2.81.1.1.10x9830Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:09.964345932 CET192.168.2.81.1.1.10x566Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:09.986568928 CET192.168.2.81.1.1.10x566Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:12.424608946 CET192.168.2.81.1.1.10x15a6Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:17.423834085 CET192.168.2.81.1.1.10x3434Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:17.454699039 CET192.168.2.81.1.1.10x3434Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.149029970 CET192.168.2.81.1.1.10x7e0dStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.174072981 CET192.168.2.81.1.1.10x7e0dStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:22.424654007 CET192.168.2.81.1.1.10x1bdeStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:22.454890966 CET192.168.2.81.1.1.10x1bdeStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:23.611974955 CET192.168.2.81.1.1.10x1bdeStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:27.423804998 CET192.168.2.81.1.1.10xff5cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:32.424931049 CET192.168.2.81.1.1.10x1efStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:37.425646067 CET192.168.2.81.1.1.10xba38Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:37.455241919 CET192.168.2.81.1.1.10xba38Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:42.516774893 CET192.168.2.81.1.1.10xc19eStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:42.551462889 CET192.168.2.81.1.1.10xc19eStandard query (0)host123.zz.amA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 19, 2024 14:25:02.689649105 CET1.1.1.1192.168.2.80x931fName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:07.448739052 CET1.1.1.1192.168.2.80x6294Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:08.851649046 CET1.1.1.1192.168.2.80xda9fNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:25:08.851649046 CET1.1.1.1192.168.2.80xda9fNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:12.927687883 CET1.1.1.1192.168.2.80xd3bdName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:17.468424082 CET1.1.1.1192.168.2.80xaa20Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:22.463224888 CET1.1.1.1192.168.2.80xe791Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:27.526247025 CET1.1.1.1192.168.2.80x546dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:30.322807074 CET1.1.1.1192.168.2.80xa115No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:25:30.322807074 CET1.1.1.1192.168.2.80xa115No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:32.451770067 CET1.1.1.1192.168.2.80x5527Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:38.046952963 CET1.1.1.1192.168.2.80xfc96Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:42.447223902 CET1.1.1.1192.168.2.80xc200Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:47.493582964 CET1.1.1.1192.168.2.80xa38cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:52.479806900 CET1.1.1.1192.168.2.80x444fName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:25:57.462965012 CET1.1.1.1192.168.2.80xa039Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:02.476084948 CET1.1.1.1192.168.2.80x5e9eName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:07.967272997 CET1.1.1.1192.168.2.80x4c6Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:12.535715103 CET1.1.1.1192.168.2.80x1675Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:17.439743996 CET1.1.1.1192.168.2.80xfa92Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:22.433978081 CET1.1.1.1192.168.2.80xd09cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:27.434043884 CET1.1.1.1192.168.2.80xbf37Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:30.646616936 CET1.1.1.1192.168.2.80x4b6No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:26:30.646616936 CET1.1.1.1192.168.2.80x4b6No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:32.439722061 CET1.1.1.1192.168.2.80x7bb8Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:37.434618950 CET1.1.1.1192.168.2.80x1449Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:42.437283993 CET1.1.1.1192.168.2.80x1db2Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:47.431242943 CET1.1.1.1192.168.2.80x563aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:52.446202993 CET1.1.1.1192.168.2.80x6ffdName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:26:57.430773020 CET1.1.1.1192.168.2.80x8e10Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:02.442382097 CET1.1.1.1192.168.2.80x374fName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:07.431350946 CET1.1.1.1192.168.2.80xd437Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:12.431884050 CET1.1.1.1192.168.2.80xa916Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:17.487660885 CET1.1.1.1192.168.2.80x11faName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:22.431140900 CET1.1.1.1192.168.2.80x2fbeName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:27.433211088 CET1.1.1.1192.168.2.80xda4aName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:32.432256937 CET1.1.1.1192.168.2.80x3f00Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:33.852269888 CET1.1.1.1192.168.2.80xca17No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:27:33.852269888 CET1.1.1.1192.168.2.80xca17No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:37.436516047 CET1.1.1.1192.168.2.80xd739Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:42.973465919 CET1.1.1.1192.168.2.80xe3c1Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:47.436167955 CET1.1.1.1192.168.2.80x9e02Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:52.540406942 CET1.1.1.1192.168.2.80x7a18Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:27:57.431771994 CET1.1.1.1192.168.2.80x9d95Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:02.432440042 CET1.1.1.1192.168.2.80x4638Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:07.459525108 CET1.1.1.1192.168.2.80x9830Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:10.437556982 CET1.1.1.1192.168.2.80x566No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:28:10.437556982 CET1.1.1.1192.168.2.80x566No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:12.431502104 CET1.1.1.1192.168.2.80x15a6Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:17.935024977 CET1.1.1.1192.168.2.80x3434Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:17.935071945 CET1.1.1.1192.168.2.80x3434Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.565541983 CET1.1.1.1192.168.2.80x7e0dNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.565541983 CET1.1.1.1192.168.2.80x7e0dNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.565623999 CET1.1.1.1192.168.2.80x7e0dNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                            Nov 19, 2024 14:28:20.565623999 CET1.1.1.1192.168.2.80x7e0dNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:23.952347040 CET1.1.1.1192.168.2.80x1bdeName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:23.952363968 CET1.1.1.1192.168.2.80x1bdeName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:23.952373028 CET1.1.1.1192.168.2.80x1bdeName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:27.431349993 CET1.1.1.1192.168.2.80xff5cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:32.432806969 CET1.1.1.1192.168.2.80x1efName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:37.947464943 CET1.1.1.1192.168.2.80xba38Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:37.947490931 CET1.1.1.1192.168.2.80xba38Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:43.032388926 CET1.1.1.1192.168.2.80xc19eName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                            Nov 19, 2024 14:28:43.032435894 CET1.1.1.1192.168.2.80xc19eName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\loaddll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:loaddll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll"
                                                            Imagebase:0x170000
                                                            File size:126'464 bytes
                                                            MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:2
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,DoAddToFavDlg
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",#1
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:6
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:08:24:36
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:ping 127.0.0.1 -n 3
                                                            Imagebase:0xc80000
                                                            File size:18'944 bytes
                                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:08:24:39
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,InputFile
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:08:24:42
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe C:\Users\user\Desktop\08e2VwqyI0.dll,PrintFile
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:08:24:42
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 672
                                                            Imagebase:0x90000
                                                            File size:483'680 bytes
                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",InputFile
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\08e2VwqyI0.dll",PrintFile
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 668
                                                            Imagebase:0x90000
                                                            File size:483'680 bytes
                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:08:24:45
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:ping 127.0.0.1 -n 3
                                                            Imagebase:0xc80000
                                                            File size:18'944 bytes
                                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:08:25:08
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:08:25:09
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:08:25:09
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:08:25:09
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:ping 127.0.0.1 -n 3
                                                            Imagebase:0xc80000
                                                            File size:18'944 bytes
                                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:08:25:16
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\08e2VwqyI0.dll",DoAddToFavDlg
                                                            Imagebase:0x5d0000
                                                            File size:61'440 bytes
                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:08:25:17
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:08:25:17
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:08:25:17
                                                            Start date:19/11/2024
                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:ping 127.0.0.1 -n 3
                                                            Imagebase:0xc80000
                                                            File size:18'944 bytes
                                                            MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:11.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:7.9%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 408 2451525 LoadLibraryA 409 2451547 GetProcAddress 374 24514c0 VirtualProtect 375 24514ff VirtualProtect 374->375 376 24514fb 374->376 376->375 377 2450cd0 381 2450d32 377->381 379 2450ce7 392 2450cf9 379->392 382 2450d3e 381->382 383 2450d57 VirtualAlloc 382->383 386 2450d86 383->386 384 2450e28 MessageBoxA ExitProcess 385 2450e42 387 2450e70 VirtualFree 385->387 386->384 386->385 388 2450dc7 386->388 387->379 389 2450dd7 wsprintfA 388->389 391 2450de7 388->391 389->391 391->384 393 2450d29 392->393 394 2450d57 VirtualAlloc 393->394 397 2450d86 394->397 395 2450e28 MessageBoxA ExitProcess 396 2450e42 398 2450e70 VirtualFree 396->398 397->395 397->396 399 2450dc7 397->399 400 2450e0c wsprintfA 399->400 401 2450de7 399->401 400->401 401->395 402 2450063 403 2450067 402->403 404 245006b VirtualAlloc 403->404 405 24500c3 403->405 404->405 407 2450084 404->407 406 24500b5 VirtualFree 406->405 407->406 410 2450c8d 411 2450caf 410->411 412 2450d57 VirtualAlloc 411->412 415 2450d86 412->415 413 2450e28 MessageBoxA ExitProcess 414 2450e42 416 2450e70 VirtualFree 414->416 415->413 415->414 417 2450dc7 415->417 418 2450e0c wsprintfA 417->418 419 2450de7 417->419 418->419 419->413 420 2450e9f 421 2450ea9 LoadLibraryA 420->421 422 2450ec1 421->422 422->421 423 2450ec7 GetProcAddress 422->423 424 2450ee4 422->424 423->422 425 245002a 426 245002c 425->426 427 2450056 426->427 434 2450047 426->434 430 2450045 430->427 438 2450063 430->438 431 24500aa VirtualFree 431->427 435 245004b 434->435 436 245003b 435->436 437 2450063 2 API calls 435->437 436->430 436->431 437->436 439 2450067 438->439 440 245006b VirtualAlloc 439->440 441 24500c3 439->441 440->441 443 2450084 440->443 441->427 442 24500b5 VirtualFree 442->441 443->442

                                                              Callgraph

                                                              Executed Functions

                                                              Function 02450C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 02450D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02450E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02450E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02450E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 6662643a65ef3f35612ce979159e1844298f55197b153730f20b1bbd481c7f88
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 9351E2321057959FDB368F20CC50BEB7BB5AF0A304F09419EDD869B297EB34A819CB51
                                                              Function 02450CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 02450D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02450E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02450E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02450E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02450E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: e314553602c3854b2d4546a4f276e811bdb11a5099f4bd92a7cbcf2b37e10f11
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: B2418C362007169BEB348F15CC44FEB73A5AF48351F04451EED8AA7646EB70A815CB90
                                                              Function 02450D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?), ref: 02450D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02450E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02450E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02450E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02450E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: e0efd59c8e17868e11c7f77e9929977c5de696726f0cfd490e123f10f31ea5de
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: 4C31C9362013569FEB399F11CC80FEB77A6AF49351F00411EEE8A97686EB70A810CB50
                                                              Function 024514C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 24514c0-24514f9 VirtualProtect 99 24514ff-2451517 VirtualProtect 98->99 100 24514fb-24514fd 98->100 100->99
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 024514EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0245150D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: fac49d679feb86cac87c3b4894642fe879772b509f97c875d5e00b37d2dd6787
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 20F0E933240245AFEB098F64D885FEE7768DF49398B20006BF7429A286CA71E551C754
                                                              Function 02450063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 2450063-2450069 103 24500c3-24500c5 101->103 104 245006b-2450082 VirtualAlloc 101->104 106 24500c6-24500ca 103->106 104->103 105 2450084-24500b0 call 24500cd 104->105 109 24500b5-24500c1 VirtualFree 105->109 110 24500b2-24500b4 105->110 109->103 109->106 110->109
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0245007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 024500BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: 7b2a44f1f2ccb7c35106f6d1c29af567ce6e098585882c29fe9dd6ed246f0706
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: 4D014B7620A6116EE6314AA1AC00F37BBDCEF4CB12F14485ABED5C1191DA25E4418F70
                                                              Function 0245002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 245002a-245002e 113 2450034-2450043 call 2450047 111->113 114 24500c3-24500c5 111->114 118 2450045-245004c 113->118 119 24500aa-24500b0 113->119 115 24500c6-24500ca 114->115 122 2450056-2450061 118->122 123 2450051 call 2450063 118->123 120 24500b5-24500c1 VirtualFree 119->120 121 24500b2-24500b4 119->121 120->114 120->115 121->120 122->114 123->122
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 024500BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: b6b961f632e45adf2d2206f9146b4b5f6f730b3e12911d844d034db5a1121d65
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 89F0592614A32129F22067357D44A27BB98EF0A721B05299BDC80D2093DD11C8028EA4

                                                              Non-executed Functions

                                                              Function 02450E9F Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 124 2450e9f-2450ea6 125 2450ea9-2450ebf LoadLibraryA 124->125 126 2450ec1-2450ec5 125->126 127 2450ec7-2450edb GetProcAddress 126->127 128 2450edd-2450ee2 126->128 127->126 128->125 129 2450ee4-2450ee8 128->129
                                                              APIs
                                                              • LoadLibraryA.KERNEL32 ref: 02450EAE
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 02450ED0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID:
                                                              • API String ID: 2574300362-0
                                                              • Opcode ID: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
                                                              • Instruction ID: 7423a25bb6470294071c3630cdc00c7104a739653fb866cec93bf927d4e1ba91
                                                              • Opcode Fuzzy Hash: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
                                                              • Instruction Fuzzy Hash: 72F082B7A101049FDB10CF18CCC49AAF3B1EF98369329847ADC86A7715D735FD568A10
                                                              Function 024500CD Relevance: .8, Instructions: 823COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1498542174.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2450000_loaddll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
                                                              • Instruction ID: 07bed9dd7cc8f974899cd8c0df6e63197d07e44f897ddbb3771aed56e9a27410
                                                              • Opcode Fuzzy Hash: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
                                                              • Instruction Fuzzy Hash: D55217766083618BC708CE29C59026EFBE2FFC8344F155A2EE8D687395D7709949CB82

                                                              Execution Graph

                                                              Execution Coverage:9.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 411 26b002a 412 26b002c 411->412 414 26b00c3 412->414 419 26b0047 412->419 416 26b0056 VirtualFree 416->414 420 26b004b 419->420 421 26b003b 420->421 422 26b0056 VirtualFree 420->422 423 26b0063 2 API calls 420->423 421->416 425 26b0063 421->425 422->421 423->422 426 26b0067 425->426 427 26b006b VirtualAlloc 426->427 428 26b00c3 426->428 427->428 429 26b0084 427->429 428->416 430 26b00b5 VirtualFree 429->430 430->428 431 26b0e9f 432 26b0ea9 LoadLibraryA 431->432 433 26b0ec1 432->433 433->432 434 26b0ec7 GetProcAddress 433->434 435 26b0ee4 433->435 434->433 436 26b0c8d 437 26b0caf 436->437 438 26b0d57 VirtualAlloc 437->438 440 26b0d86 438->440 439 26b0e28 MessageBoxA ExitProcess 440->439 441 26b0e42 440->441 442 26b0dc7 440->442 443 26b0e70 VirtualFree 441->443 444 26b0e0c wsprintfA 442->444 445 26b0de7 442->445 444->445 445->439 377 26b0063 378 26b0067 377->378 379 26b006b VirtualAlloc 378->379 380 26b00c3 378->380 379->380 381 26b0084 379->381 382 26b00b5 VirtualFree 381->382 382->380 383 26b14c0 VirtualProtect 384 26b14fb 383->384 385 26b14ff VirtualProtect 383->385 384->385 386 26b0cd0 390 26b0d32 386->390 388 26b0ce7 401 26b0cf9 388->401 391 26b0d3e 390->391 392 26b0d57 VirtualAlloc 391->392 394 26b0d86 392->394 393 26b0e28 MessageBoxA ExitProcess 394->393 395 26b0e42 394->395 396 26b0dc7 394->396 397 26b0e70 VirtualFree 395->397 398 26b0dd7 wsprintfA 396->398 400 26b0de7 396->400 397->388 398->400 400->393 402 26b0d29 401->402 403 26b0d57 VirtualAlloc 402->403 405 26b0d86 403->405 404 26b0e28 MessageBoxA ExitProcess 405->404 406 26b0e42 405->406 407 26b0dc7 405->407 408 26b0e70 VirtualFree 406->408 409 26b0e0c wsprintfA 407->409 410 26b0de7 407->410 409->410 410->404 446 26b1547 GetProcAddress 447 26b1525 LoadLibraryA

                                                              Callgraph

                                                              Executed Functions

                                                              Function 026B0C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 026B0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 026B0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 026B0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 026B0E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: a9f2609d8d99b985d985e046cf9cf7e5a90e7c153e2a1911beab176ce6f26730
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 9E5114312057859FDB3B8F20CC50BEB3BB5AF06304F09419EDD869B296EB34A855CB95
                                                              Function 026B0CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 026B0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 026B0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 026B0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 026B0E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 026B0E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: 449f0bfe383c7d9a288bc2a808756e8eeb5173c59921672a0b5dd90848a6a818
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: C0418A362007069BEB3A8F14CC44FEB77A5AF49351F04421DEE4AA7688EB70A851CB94
                                                              Function 026B0D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 026B0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 026B0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 026B0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 026B0E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 026B0E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: 82d5515ce965983fa0da78a9b8faf607a2d65072588a302f6e718a12b82bba7a
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: 7131CB362003469FDB3A9F10CC84FEB7BA6AF45351F00415DEE4697285EF70A851CB94
                                                              Function 026B14C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 26b14c0-26b14f9 VirtualProtect 99 26b14fb-26b14fd 98->99 100 26b14ff-26b1517 VirtualProtect 98->100 99->100
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 026B14EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 026B150D
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: 34583468385557dc039e451c542ff9b6cdbfcf854f9d7b665f694bdf37f935bb
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 34F0E933240245AFEB098F64D895EEE7768DF49398B2000AAF7029A286CA71D551C754
                                                              Function 026B0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 26b0063-26b0069 103 26b006b-26b0082 VirtualAlloc 101->103 104 26b00c3-26b00c5 101->104 103->104 106 26b0084-26b00a4 103->106 105 26b00c6-26b00ca 104->105 107 26b00aa-26b00b0 106->107 108 26b00a5 call 26b00cd 106->108 109 26b00b2-26b00b4 107->109 110 26b00b5-26b00c1 VirtualFree 107->110 108->107 109->110 110->105
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 026B007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 026B00BE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: dcd0856e75538f2999daad4a6792d76ba7ea0d96acf1c113b21194be6c5f0ba9
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: A001AF72209682BEE7324AA19C00F77BFECDF48712F144C5AFAD5C2190DA26E4818B70
                                                              Function 026B002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 26b002a-26b002e 113 26b00c3-26b00c5 111->113 114 26b0034-26b0043 call 26b0047 111->114 116 26b00c6-26b00ca 113->116 118 26b00aa-26b00b0 114->118 119 26b0045-26b0061 call 26b0063 114->119 121 26b00b2-26b00b4 118->121 122 26b00b5-26b00c1 VirtualFree 118->122 119->118 121->122 122->116
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 026B00BE
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1428208301.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_26b0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: ae674e14619bcb59e0a0ceaf2b73211771bfcdde9d018070658d59be1a142ed8
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 91F02E2254E3916DF62677347C44AA7BF98EF43325B150D9BDC40D6091DE11D882CBF4

                                                              Execution Graph

                                                              Execution Coverage:4.5%
                                                              Dynamic/Decrypted Code Coverage:11%
                                                              Signature Coverage:1.1%
                                                              Total number of Nodes:282
                                                              Total number of Limit Nodes:12
                                                              execution_graph 17391 10007101 17392 10007118 17391->17392 17396 100071a6 Sleep 17392->17396 17397 100071f7 wsprintfA 17392->17397 17400 10005c4c 17392->17400 17415 10003ef4 17392->17415 17418 100061bd 17392->17418 17396->17392 17437 1000570f 17397->17437 17401 10003ef4 wvsprintfA 17400->17401 17402 10005c86 17401->17402 17448 10003f72 PathFileExistsA 17402->17448 17404 10005c92 17405 10005c99 17404->17405 17406 10005c9d 17404->17406 17405->17392 17449 10004015 CreateFileA 17406->17449 17408 10005cbb 17408->17405 17450 10004035 ReadFile 17408->17450 17410 10005cd6 17451 10003f92 CloseHandle 17410->17451 17412 10005cdc 17452 10003f7d StrStrIA 17412->17452 17414 10005ce9 17414->17405 17453 10003ee1 wvsprintfA 17415->17453 17417 10003f06 17417->17392 17419 100061dd 17418->17419 17454 10003f0a InternetOpenA 17419->17454 17421 100061e4 17431 100061ee 17421->17431 17455 10003f24 InternetOpenUrlA 17421->17455 17423 10006206 17424 10006210 17423->17424 17425 10006219 17423->17425 17456 10003f58 InternetCloseHandle 17424->17456 17427 10006276 17425->17427 17433 1000621f 17425->17433 17459 10003f58 InternetCloseHandle 17427->17459 17429 10006216 17460 10003f58 InternetCloseHandle 17429->17460 17431->17392 17434 1000626c 17433->17434 17457 10003f41 InternetReadFile 17433->17457 17458 10003f92 CloseHandle 17434->17458 17436 10006274 17436->17427 17438 1000571c 17437->17438 17439 10005724 wsprintfA 17438->17439 17461 10005318 17439->17461 17441 10005776 wsprintfA wsprintfA 17463 10035e22 17441->17463 17448->17404 17449->17408 17450->17410 17451->17412 17452->17414 17453->17417 17454->17421 17455->17423 17456->17429 17457->17433 17458->17436 17459->17429 17460->17431 17462 10005325 17461->17462 17462->17441 17464 1003bf35 17463->17464 17478 10004482 17479 1000448d 17478->17479 17482 100040ba RegOpenKeyExA 17479->17482 17481 100044a4 17482->17481 17483 10006dc4 17484 10006dce 17483->17484 17485 10003ef4 wvsprintfA 17484->17485 17490 10006ec4 17484->17490 17486 10006e8f 17485->17486 17487 10003ef4 wvsprintfA 17486->17487 17488 10006eb8 17487->17488 17491 10006290 17488->17491 17492 100062a2 17491->17492 17501 10003f0a InternetOpenA 17492->17501 17494 100062a9 17500 100062da 17494->17500 17502 10003f24 InternetOpenUrlA 17494->17502 17496 100062c4 17503 10003f58 InternetCloseHandle 17496->17503 17498 100062d4 17504 10003f58 InternetCloseHandle 17498->17504 17500->17490 17501->17494 17502->17496 17503->17498 17504->17500 17505 10005846 17506 1000584d 17505->17506 17507 10005862 17506->17507 17509 10003eb4 gethostbyname 17506->17509 17509->17507 17618 10008567 Sleep 17619 1000858a 17618->17619 17620 100061bd 5 API calls 17619->17620 17621 100085b1 17620->17621 17622 100085c3 17621->17622 17623 100085ba Sleep 17621->17623 17623->17621 17624 3390cd0 17628 3390d32 17624->17628 17626 3390ce7 17639 3390cf9 17626->17639 17629 3390d3e 17628->17629 17630 3390d57 VirtualAlloc 17629->17630 17632 3390d86 17630->17632 17631 3390e28 MessageBoxA ExitProcess 17632->17631 17633 3390e42 17632->17633 17634 3390dc7 17632->17634 17635 3390e70 VirtualFree 17633->17635 17636 3390dd7 wsprintfA 17634->17636 17638 3390de7 17634->17638 17635->17626 17636->17638 17638->17631 17640 3390d29 17639->17640 17641 3390d57 VirtualAlloc 17640->17641 17643 3390d86 17641->17643 17642 3390e28 MessageBoxA ExitProcess 17643->17642 17644 3390e42 17643->17644 17645 3390dc7 17643->17645 17646 3390e70 VirtualFree 17644->17646 17647 3390e0c wsprintfA 17645->17647 17648 3390de7 17645->17648 17647->17648 17648->17642 17649 1000826c 17652 100082a6 17649->17652 17650 10005c4c 6 API calls 17650->17652 17651 10003ef4 wvsprintfA 17651->17652 17652->17650 17652->17651 17653 100061bd 5 API calls 17652->17653 17654 1000838e Sleep 17652->17654 17656 100083df wsprintfA 17652->17656 17657 1000720e 17652->17657 17653->17652 17654->17652 17656->17652 17658 10007218 17657->17658 17660 1000756c 17658->17660 17661 1000726f 17658->17661 17686 10007a62 17658->17686 17660->17652 17661->17660 17690 1000504d 17661->17690 17663 100072b4 17664 10007404 17663->17664 17694 10007ccb 17663->17694 17664->17660 17667 10007ccb MultiByteToWideChar 17664->17667 17666 100072fb 17666->17664 17669 1000504d MultiByteToWideChar 17666->17669 17668 100074a5 17667->17668 17668->17660 17670 1000504d MultiByteToWideChar 17668->17670 17671 1000731d SafeArrayCreate VariantInit SafeArrayCreate VariantInit 17669->17671 17672 100074ca 17670->17672 17675 1000504d MultiByteToWideChar 17671->17675 17673 1000504d MultiByteToWideChar 17672->17673 17676 100074d9 SafeArrayCreate 17673->17676 17678 10007392 17675->17678 17679 10007519 17676->17679 17681 1000504d MultiByteToWideChar 17678->17681 17680 1000504d MultiByteToWideChar 17679->17680 17682 1000752f 17680->17682 17683 100073cb 17681->17683 17684 1000504d MultiByteToWideChar 17682->17684 17685 1000504d MultiByteToWideChar 17683->17685 17684->17660 17685->17664 17687 10007a6c 17686->17687 17688 1000504d MultiByteToWideChar 17687->17688 17689 10007ab6 17687->17689 17688->17689 17689->17661 17691 10005057 17690->17691 17693 10005078 17691->17693 17698 100050f5 17691->17698 17693->17663 17695 10007cd5 17694->17695 17696 1000504d MultiByteToWideChar 17695->17696 17697 10007ce9 17695->17697 17696->17697 17697->17666 17701 1000d0ae 17698->17701 17700 1000510c 17700->17693 17702 1000d0bd 17701->17702 17704 1000d0b9 17701->17704 17703 1000d0d6 MultiByteToWideChar 17702->17703 17703->17704 17704->17700 17705 100044ad 17707 10004489 17705->17707 17706 100044d9 GetExtendedUdpTable 17706->17707 17707->17705 17707->17706 17708 100044fe 17707->17708 17710 10004456 17707->17710 17709 10004509 GetExtendedUdpTable 17708->17709 17708->17710 17709->17710 17510 10004351 17512 1000436c 17510->17512 17511 10004370 17512->17511 17513 10004399 Sleep 17512->17513 17514 100043b3 17513->17514 17515 100043e0 Sleep 17514->17515 17516 100043ef 17515->17516 17516->17511 17517 10006ed6 17520 10006cf7 17517->17520 17530 10003ff7 GetShortPathNameA 17520->17530 17522 10006d32 17531 1000406c RegCreateKeyExA 17522->17531 17524 10006d60 wsprintfA 17525 10006d9a 17524->17525 17532 100040d4 RegSetValueExA 17525->17532 17527 10006db3 17533 10004092 RegCloseKey 17527->17533 17529 10006dbe 17530->17522 17531->17524 17532->17527 17533->17529 17711 100087b6 17712 100087bb CreateThread Sleep CreateThread Sleep 17711->17712 17713 100087eb 17712->17713 17714 1000841c 17712->17714 17719 10006a6e 17712->17719 17715 10008429 17714->17715 17716 100085ba Sleep 17715->17716 17718 1000855a Sleep 17715->17718 17718->17715 17720 10006a82 17719->17720 17729 10003ece CreateMutexA 17720->17729 17722 10006aa3 GetLastError 17723 10006b0b 17722->17723 17724 10006ab4 17722->17724 17726 10006ae1 CreateThread 17724->17726 17727 10006ad8 Sleep 17724->17727 17730 10006499 17724->17730 17728 10006b02 17726->17728 17749 1000687e 14 API calls 17726->17749 17727->17724 17728->17727 17729->17722 17731 100064a3 17730->17731 17732 100064e9 wsprintfA 17731->17732 17733 10006508 17732->17733 17746 10003f0a InternetOpenA 17733->17746 17735 1000652b 17736 100066d0 17735->17736 17747 10003f24 InternetOpenUrlA 17735->17747 17736->17724 17738 1000654b 17738->17736 17744 10006559 ctype 17738->17744 17740 100065bf MultiByteToWideChar 17740->17744 17741 100065d7 MultiByteToWideChar 17741->17744 17742 100066df wsprintfA 17745 100066b0 ctype 17742->17745 17743 10006647 17743->17742 17743->17745 17744->17740 17744->17741 17744->17743 17748 10003f41 InternetReadFile 17744->17748 17745->17736 17746->17735 17747->17738 17748->17744 17750 100081f7 17751 10008200 17750->17751 17753 1000825f Sleep 17751->17753 17754 10007f3e 8 API calls 17751->17754 17755 1000400a GetDriveTypeA 17751->17755 17753->17751 17754->17751 17755->17751 17756 33914c0 VirtualProtect 17757 33914fb 17756->17757 17758 33914ff VirtualProtect 17756->17758 17757->17758 17534 3390063 17535 3390067 17534->17535 17536 339006b VirtualAlloc 17535->17536 17537 33900c3 17535->17537 17536->17537 17538 3390084 17536->17538 17539 33900b5 VirtualFree 17538->17539 17539->17537 17540 10006ede 17542 10006eeb 17540->17542 17541 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 17541->17542 17542->17541 17543 10006f1f Sleep 17542->17543 17549 10006f2c 17542->17549 17543->17542 17544 10005c4c 6 API calls 17544->17549 17545 10003ef4 wvsprintfA 17545->17549 17546 100061bd 5 API calls 17546->17549 17547 10007053 Sleep 17547->17549 17548 10007092 wsprintfA 17548->17549 17549->17544 17549->17545 17549->17546 17549->17547 17549->17548 17550 100070c8 PrintFile PrintFile 17549->17550 17550->17549 17551 10006b1f 17552 10006b3c 17551->17552 17559 10003ece CreateMutexA 17552->17559 17554 10006b50 GetLastError 17555 10006b61 CreateThread 17554->17555 17558 10006b90 17554->17558 17556 10006b7b 17555->17556 17560 1000687e 17555->17560 17557 10006b83 Sleep 17556->17557 17557->17555 17559->17554 17561 100068aa 17560->17561 17568 10005db4 17561->17568 17563 100068c0 17564 100068ec 17563->17564 17565 10005f15 8 API calls 17563->17565 17580 10005f98 17563->17580 17589 10003f63 ExitWindowsEx 17563->17589 17565->17563 17569 10005de5 17568->17569 17570 10005e1e 17569->17570 17590 1000409d RegQueryValueExA 17569->17590 17574 10003ef4 wvsprintfA 17570->17574 17572 10005e16 17608 10004092 RegCloseKey 17572->17608 17575 10005e89 17574->17575 17591 10005cf7 17575->17591 17578 10003ef4 wvsprintfA 17579 10005ee1 17578->17579 17579->17563 17581 10005fb9 17580->17581 17582 10003ef4 wvsprintfA 17580->17582 17615 10004015 CreateFileA 17581->17615 17582->17581 17584 10005fe3 17584->17563 17585 10005fd9 17585->17584 17616 10003f9d WriteFile 17585->17616 17587 10005fff 17617 10003f92 CloseHandle 17587->17617 17589->17563 17590->17572 17592 10003ef4 wvsprintfA 17591->17592 17593 10005d31 17592->17593 17609 10003f72 PathFileExistsA 17593->17609 17595 10005d3d 17596 10005d48 17595->17596 17597 10005d44 17595->17597 17610 10004015 CreateFileA 17596->17610 17597->17578 17597->17579 17599 10005d66 17599->17597 17611 10004035 ReadFile 17599->17611 17601 10005d81 17612 10003f92 CloseHandle 17601->17612 17603 10005d87 17613 10003f7d StrStrIA 17603->17613 17605 10005d94 17605->17597 17614 10003f7d StrStrIA 17605->17614 17607 10005da8 17607->17597 17608->17570 17609->17595 17610->17599 17611->17601 17612->17603 17613->17605 17614->17607 17615->17585 17616->17587 17617->17584

                                                              Executed Functions

                                                              Function 10007F3E Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$12010043$L2ltYWdlLnBocA==$NPKI$P
                                                              • API String ID: 0-3984435826
                                                              • Opcode ID: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                                              • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                              • Opcode Fuzzy Hash: 0a215aef5ca7b5c606a273fdfbec72fd9b9d822c18bbfb0613fe871d940a9004
                                                              • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                              Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CreateSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 3332741929-0
                                                              • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                              • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                                              • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                              • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                                              Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                              • Sleep.KERNEL32 ref: 10007059
                                                              • wsprintfA.USER32 ref: 1000709D
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000), ref: 100070D6
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000,?,00000000), ref: 100070E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FilePrintSleep$wsprintf
                                                              • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                              • API String ID: 1547040302-3813294871
                                                              • Opcode ID: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                                              • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                              • Opcode Fuzzy Hash: 6901e9babde4ee68b3136e4664651ea7350d119c703396e769bb1a0f608c4114
                                                              • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                              Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                                • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,75570ECC,0007D000,00000000,00000000), ref: 100065C8
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,75570ECC,0007D000,00000000,00000000), ref: 100065E6
                                                              • wsprintfA.USER32 ref: 100066E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                              • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                              • API String ID: 4077377486-2496724313
                                                              • Opcode ID: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
                                                              • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                              • Opcode Fuzzy Hash: 75abeeb0c1ce65552ecf3d51c3df04188886b104fd09b7b212ed437500202792
                                                              • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                              Function 03390C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 189 3390c8d-3390cc8 call 3390cc2 192 3390cca-3390ccc 189->192 193 3390d05-3390d27 189->193 192->193 194 3390d29-3390d2e 193->194 195 3390d3e-3390d8e call 3390e91 VirtualAlloc call 339116c 193->195 194->195 197 3390d30-3390d3c 194->197 201 3390e28-3390e3c MessageBoxA ExitProcess 195->201 202 3390d94-3390db3 call 33910ca call 3390fe5 call 3390eeb 195->202 197->195 209 3390db9-3390dc5 call 3391338 202->209 210 3390e42-3390e4b 202->210 209->210 216 3390dc7-3390dd5 209->216 211 3390e4d-3390e5f 210->211 212 3390e62-3390e90 call 33914b2 VirtualFree 210->212 211->212 218 3390ddf-3390de5 216->218 219 3390dd7-3390ddd 216->219 221 3390e05-3390e0b 218->221 222 3390de7-3390e03 218->222 220 3390e0c-3390e1c wsprintfA 219->220 223 3390e22 220->223 221->220 222->223 223->201
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03390D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03390E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03390E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03390E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 0dc3fe3d50238f7a50c6b9f96ad1a76187ac6ca5bb2fe5830f4f3f35f94fb1a2
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 1251F731505785DFEB3ACF20CC80BEB7BB5AF06200F09419BDD469B296EB34A815CB51
                                                              Function 03390CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 225 3390cf9-3390d27 226 3390d29-3390d2e 225->226 227 3390d3e-3390d8e call 3390e91 VirtualAlloc call 339116c 225->227 226->227 229 3390d30-3390d3c 226->229 233 3390e28-3390e3c MessageBoxA ExitProcess 227->233 234 3390d94-3390db3 call 33910ca call 3390fe5 call 3390eeb 227->234 229->227 241 3390db9-3390dc5 call 3391338 234->241 242 3390e42-3390e4b 234->242 241->242 248 3390dc7-3390dd5 241->248 243 3390e4d-3390e5f 242->243 244 3390e62-3390e90 call 33914b2 VirtualFree 242->244 243->244 250 3390ddf-3390de5 248->250 251 3390dd7-3390ddd 248->251 253 3390e05-3390e0b 250->253 254 3390de7-3390e03 250->254 252 3390e0c-3390e1c wsprintfA 251->252 255 3390e22 252->255 253->252 254->255 255->233
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03390D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03390E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03390E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03390E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03390E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: 207c62f5f311e2eb6d48a7fcc404602473ee88d5797fa62d5cbabc7eeb6c2b47
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: D4417D36A40706DFEB38DF14CC84EEB73A5AF48351F04421AED46A7644EB70B911CB90
                                                              Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2
                                                                • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseFormatQueryTimeValue___crt
                                                              • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                              • API String ID: 271660946-3893357082
                                                              • Opcode ID: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                                              • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                              • Opcode Fuzzy Hash: 37022121a03464651817a9c0c5e1d81c5aa94c867a3c5e15367f04ef0a505e5e
                                                              • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                              Function 03390D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03390D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03390E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03390E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03390E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03390E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: 7e9fcf6cf0729449e694010dcecbb12c12aa84c6529f573c3c16f81776767656
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: 4D31A936A00746DFEB38DF10CC80EEB77A9AF44351F04411EED469B684EB70A810CB50
                                                              Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                              • wsprintfA.USER32 ref: 10006D88
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,dtfd,00000000,00000001,?,00000001,?), ref: 100040E9
                                                                • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                              • String ID: %s "%s",DoAddToFavDlg$C:\Users\user\Desktop\08e2VwqyI0.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                              • API String ID: 1762869224-1979437191
                                                              • Opcode ID: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                                              • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                              • Opcode Fuzzy Hash: fe4a6ca71fda934b348afe6d657169d78400bf351d74a23e551a426737a6504a
                                                              • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                              Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                              • wsprintfA.USER32 ref: 100083E6
                                                              Strings
                                                              • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                              • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                              • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                              • 8.8.8.8, xrefs: 100083EF
                                                              • 127.0.0.1, xrefs: 100083F4
                                                              • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleepwsprintf
                                                              • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                              • API String ID: 1749205058-626475063
                                                              • Opcode ID: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                                              • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                              • Opcode Fuzzy Hash: 54eedc971582e05c3486c3a0f88f100d4df9f5038933db9e4620657874ea0a6d
                                                              • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                              Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                              • GetLastError.KERNEL32 ref: 10006AA8
                                                                • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                              • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                              • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                              • String ID: 0x5d65r455f$5762479093
                                                              • API String ID: 3244495550-2446933972
                                                              • Opcode ID: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                                              • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                              • Opcode Fuzzy Hash: 3b97f3ef57c6d34437c21e844b3cc3d0ae84d0d31088cb251ee543bf93b7c76e
                                                              • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                              Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • Sleep.KERNEL32(00002710), ref: 1000857E
                                                              • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                              • API String ID: 3472027048-3516831565
                                                              • Opcode ID: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                                              • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                              • Opcode Fuzzy Hash: 97b5d75c4eae03a1f54d307b40641d8b725bb66f95620e0adc97901586be56a8
                                                              • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                              Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 100044E9
                                                              • GetExtendedUdpTable.IPHLPAPI(?,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,?,iphlpapi.dll), ref: 10004513
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ExtendedTable
                                                              • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                              • API String ID: 2407854163-1809394930
                                                              • Opcode ID: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                                              • Instruction ID: 6449560a486cb6172ee975f2d37c1f40bf8993c7a1880d61e14318031523e361
                                                              • Opcode Fuzzy Hash: 8f3a0eb883154a3195ca5da507f2da972492a258440e1d6e2132d319b0eaf8e7
                                                              • Instruction Fuzzy Hash: D1215CB5500508BFEB20DB69DC46EAF77BCDF813D1F214519F9119A086DE30AE808674
                                                              Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                              Strings
                                                              • svchsot.exe, xrefs: 10008524
                                                              • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                              • API String ID: 3472027048-2214221337
                                                              • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                              • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                              Function 100087B6 Relevance: 6.0, APIs: 4, Instructions: 27sleepthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 559 100087b6-100087ea CreateThread Sleep CreateThread Sleep 561 100087eb-100087f2 559->561
                                                              APIs
                                                              • CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
                                                              • Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
                                                              • CreateThread.KERNEL32(?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
                                                              • Sleep.KERNEL32(000000FF,?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CreateSleepThread
                                                              • String ID:
                                                              • API String ID: 4202482776-0
                                                              • Opcode ID: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                                              • Instruction ID: 2df9746d7e78e8372c6e87ac4aa0691d1060a96339f5c4ce5d4c7b8b7a8da0f8
                                                              • Opcode Fuzzy Hash: 7611a2c7549d694aa888d6d647670ac1460baf17db733e16608d155f4bf44ca4
                                                              • Instruction Fuzzy Hash: 46E05EE024435DBDF321B2791CC8DFF1E0DEB812FCB254252F528100CB6A540D048AB2
                                                              Function 10006B1F Relevance: 4.6, APIs: 3, Instructions: 122sleepthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                              • GetLastError.KERNEL32 ref: 10006B55
                                                              • CreateThread.KERNEL32(?,?,1000687E), ref: 10006B6B
                                                              • Sleep.KERNEL32(00002710,?,00000000,00000000,000000FF,?,?,1000687E), ref: 10006B88
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Create$ErrorLastMutexSleepThread
                                                              • String ID:
                                                              • API String ID: 145085098-0
                                                              • Opcode ID: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                                              • Instruction ID: 4f35827bfa7b5ea93410d600da94e256639eda4c8ceaa52b9f8b13dee9a51c26
                                                              • Opcode Fuzzy Hash: 9fdb200d5929ef7e8f6a96f443088d0c96ecfb43422a1e838647d38a76ea70c1
                                                              • Instruction Fuzzy Hash: 463182714043905EF716DB284C45EA7BFAEDF5A390B14416AF8A5CB287D620D941C771
                                                              Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • http://107.160.131.254:23588/article.php, xrefs: 1000716B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleepwsprintf
                                                              • String ID: http://107.160.131.254:23588/article.php
                                                              • API String ID: 1749205058-3833642815
                                                              • Opcode ID: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                                              • Instruction ID: aabc6cc0ccec88c78b37051fa20fdae4f9ca8aa4d7268392f08ad21868547801
                                                              • Opcode Fuzzy Hash: 97092958d065cc5244b5ac70b0ba84f38b29928c2b3a7baf181ba609d4b8ef37
                                                              • Instruction Fuzzy Hash: 462129B6D046557AF724D368CC56FCF37ACEF053D0F2000A6F608A50C6E679AE818A11
                                                              Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                              Strings
                                                              • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FormatInternetOpenTime___crt
                                                              • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                              • API String ID: 483802873-1756078650
                                                              • Opcode ID: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
                                                              • Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
                                                              • Opcode Fuzzy Hash: 82af1a15f59e1fdef4f373340f409e9f860dae93766629ca999b654561017b81
                                                              • Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660
                                                              Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                                                • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                              Strings
                                                              • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InternetOpen$FormatTime___crt
                                                              • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                                              • API String ID: 1165476586-1918919809
                                                              • Opcode ID: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                                              • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                                              • Opcode Fuzzy Hash: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                                              • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                                              Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: C:\Program Files
                                                              • API String ID: 3472027048-1387799010
                                                              • Opcode ID: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                                              • Instruction ID: c9703108929f2dc2805788eab40c91aa3f5a92b87bc929f4f41ff718cce9746c
                                                              • Opcode Fuzzy Hash: ef70be951d54eb09da497d03d6b876b815efcf974a7af6f3814c100205ad0eea
                                                              • Instruction Fuzzy Hash: 40F0723A905AA1A6F701DFA409C068B776DFF022A0B210026F840BF047C7B18E0243E2
                                                              Function 033914C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 033914EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0339150D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: 14ecbab0e9fc75e24908ad7a18ec83704a7a92c03326c84d4ceafe30f4b9406c
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 20F0E933240245EFEF098F64D885EFE7768DF48398B20006BF702AA286CA71D551C754
                                                              Function 03390063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0339007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 033900BE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: 46510404fb69bad03e18a186c3725145e2027c2b4d44e9ffc704eef1bbdcbdeb
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: D801A476209712BEFB318AA19C41F37BBDCDF48612F184C5BFAD5C6190D929E4409B70
                                                              Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                              • Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
                                                              • Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                              • Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91
                                                              Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                              • Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
                                                              • Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                              • Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1
                                                              Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InternetOpen
                                                              • String ID:
                                                              • API String ID: 2038078732-0
                                                              • Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                              • Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
                                                              • Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                              • Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95
                                                              Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CreateMutex
                                                              • String ID:
                                                              • API String ID: 1964310414-0
                                                              • Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                              • Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
                                                              • Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                              • Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02
                                                              Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: NamePathShort
                                                              • String ID:
                                                              • API String ID: 1295925010-0
                                                              • Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                              • Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
                                                              • Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                              • Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12
                                                              Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                              • Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
                                                              • Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                              • Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12
                                                              Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32Next.KERNEL32(00000000,00000000), ref: 1000411D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                              • Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
                                                              • Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                              • Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12
                                                              Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDriveTypeA.KERNEL32(?,1000824C,10015940), ref: 1000400E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: DriveType
                                                              • String ID:
                                                              • API String ID: 338552980-0
                                                              • Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                              • Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
                                                              • Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                              • Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01
                                                              Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                              • Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
                                                              • Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                              • Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01
                                                              Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostbyname.WS2_32(00000000), ref: 10003EB8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: gethostbyname
                                                              • String ID:
                                                              • API String ID: 930432418-0
                                                              • Opcode ID: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                              • Instruction ID: ddc175de635f80408d7ee48a1059bf0ffdd1ba2c9e36570999931cb834b2f0bc
                                                              • Opcode Fuzzy Hash: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                              • Instruction Fuzzy Hash: F7900270545110ABDE015B21CF4A4097A61AB85B01B048454E14940031C7318810EA12
                                                              Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID:
                                                              • API String ID: 1174141254-0
                                                              • Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                              • Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
                                                              • Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                              • Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01
                                                              Function 0339002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 033900BE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3874703382.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_3390000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: 737cc61f8d8c321ac22aab0ee3ceae0b3c58cf4e578e70d008536bacd0ee513f
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 7FF02E2695A311ADFE18F7347CC8A27FB98DF43221B170D97DC40D7191DD19D84296E4

                                                              Non-executed Functions

                                                              Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FileInternetRead
                                                              • String ID:
                                                              • API String ID: 778332206-0
                                                              • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                              • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                                              • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                              • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                                              Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ExitWindows
                                                              • String ID:
                                                              • API String ID: 1089080001-0
                                                              • Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                              • Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
                                                              • Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                              • Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02
                                                              Function 10008AAD Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                                              • Instruction ID: 9deb1ace0ade157a7cf376dc79b16b2541233208deadd1a3cef8bf08dc3f5488
                                                              • Opcode Fuzzy Hash: e333d78722ad0821d4e98b6652e5a75445b5621be3666c330cc0561f1e3ae06e
                                                              • Instruction Fuzzy Hash: 43F0682128E3C15DE30186685441BC1FF846B76314F0CC7CDB1D40B283C1954084CBA6
                                                              Function 1001E1FE Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                                              • Instruction ID: f0cb1bca0584f7cb9865d2b0003cd1252f49916ae924d73bcd8c513b2b9b2d6d
                                                              • Opcode Fuzzy Hash: 12b9005d6082dbdac1a2845a9fd333a3e7a79171a5b874446ea0314262c5ac30
                                                              • Instruction Fuzzy Hash: 11E0E5A440C38AFEC703AB3488840E93FA6EE91310F04840CF4C403A02E3B589A09332
                                                              Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                              • VariantInit.OLEAUT32(?), ref: 1000734D
                                                              • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                              • VariantInit.OLEAUT32(?), ref: 10007377
                                                                • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                              • VariantInit.OLEAUT32(?), ref: 10007513
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant$ArrayCreateSafe
                                                              • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=5w
                                                              • API String ID: 2640012081-3861124693
                                                              • Opcode ID: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                                              • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                              • Opcode Fuzzy Hash: 12229ab9ea9be2b5515b3a4e7304c5cbd28c893a32b3e86cd77fead74930fbe5
                                                              • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                              Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf
                                                              • String ID: %s\%s$%s\version.txt$12010043$12010043$C:\Users\user\Desktop$C:\Users\user\Desktop\08e2VwqyI0.dll$C:\Users\user\Desktop\12010043$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB45F69C$M%s$Mhost123.zz.am:6658$host123.zz.am:6658
                                                              • API String ID: 2111968516-1096733929
                                                              • Opcode ID: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                                              • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                              • Opcode Fuzzy Hash: 857beac2df9e912fa28a8a8c5910c135d4b4ee4941f056ece51d960c3556155a
                                                              • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                              Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                              • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                              • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                              • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 10005009
                                                              • VariantInit.OLEAUT32(?,?,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 1000500F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=5w$svchost.exe$svchost.exe -k NetworkService
                                                              • API String ID: 1927566239-4270180057
                                                              • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                              • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                              Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 1000574F
                                                              • wsprintfA.USER32 ref: 100057B1
                                                              • wsprintfA.USER32 ref: 100057C5
                                                              • PrintFile.08E2VWQYI0(?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000,?,1000720C), ref: 100057E8
                                                              • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,00000000), ref: 10005835
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$CreateFilePrintThread
                                                              • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                              • API String ID: 1788855648-1421401311
                                                              • Opcode ID: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                                              • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                              • Opcode Fuzzy Hash: ae8518da5cd223e832b712c6548c98f9a89997a3f3d4d6029e7fac4c4bf50c1f
                                                              • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                              Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 10005437
                                                              • wsprintfA.USER32 ref: 1000549E
                                                              • wsprintfA.USER32 ref: 100054BC
                                                              • PrintFile.08E2VWQYI0(?,?,10016594,?,00000000), ref: 100054DE
                                                              • wsprintfA.USER32 ref: 10005582
                                                              • Sleep.KERNEL32(000003E8,00000000,76C08400,?,40000000,00000001,00000000,00000002,00000000,00000000,7541C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                              Strings
                                                              • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                              • %s\%s, xrefs: 10005431
                                                              • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$FilePrintSleep
                                                              • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                              • API String ID: 518940211-4228670124
                                                              • Opcode ID: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                                              • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                              • Opcode Fuzzy Hash: c361d524b353549e0f38205e8cfe1225c09218ba4335209976bd8a7148bd2516
                                                              • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                              Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(?,?,?,cmd.exe), ref: 100043A6
                                                              • Sleep.KERNEL32(000003E8), ref: 100043E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                                              • API String ID: 3472027048-2620343502
                                                              • Opcode ID: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                                              • Instruction ID: 2962837d3e63ffe82077fec71eea4cc39f059f6aab2461bdb2792d37a05628b4
                                                              • Opcode Fuzzy Hash: 3f59aa8a2a531e52e96b689b157fed57f8b0b4aca2b36427f54941e0ecbe5060
                                                              • Instruction Fuzzy Hash: 370126BA000394BAFB12BB74EC46F9E3B5CDF452E2F120016F9446D086CEB5AA804565
                                                              Function 10005F15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?,000000BC,00000000,?,00000128,00000000), ref: 10005F21
                                                                • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,00000000,00000001,SeShutdownPrivilege,00000001,00000000,00000000,?,000000BC,00000000,?), ref: 10004132
                                                                • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                                • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(00000000,00000010,?,00000000,00000000,10005F7E,?,10005F7E,00000000,00000000,?,00000010,00000000,00000000), ref: 10004064
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                              • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                              • API String ID: 3793502078-2679580386
                                                              • Opcode ID: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                                              • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                              • Opcode Fuzzy Hash: 4c2164c536502c8c7bf62064663df8d628c4358b27154a1aa27f72d12e264788
                                                              • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                              Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                                              • API String ID: 1721638100-2691734327
                                                              • Opcode ID: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                                              • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                              • Opcode Fuzzy Hash: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
                                                              • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                              Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                                              • API String ID: 1721638100-4272537799
                                                              • Opcode ID: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                                              • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                              • Opcode Fuzzy Hash: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
                                                              • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660
                                                              Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • C:\Users\user\Desktop, xrefs: 1000880B
                                                              • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleepwsprintf
                                                              • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                              • API String ID: 1749205058-715194466
                                                              • Opcode ID: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                                              • Instruction ID: cb8f3af107b47666e7401f40fe0349a9d09f1feb376e898973d7629cffdb37cc
                                                              • Opcode Fuzzy Hash: d826f062264427af496b9675ff0d63a37454a8e3147eb2671c5731483726d261
                                                              • Instruction Fuzzy Hash: 00F0AEF250019DABEB15CBA4CC857EA3768FF04285F040975F705F5051DBB19AC44A55
                                                              Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: $p=5w
                                                              • API String ID: 1927566239-2851331367
                                                              • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                              • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                              Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                                • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3925361248.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000004.00000002.3925334156.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925386960.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925411579.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925436103.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925470881.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000004.00000002.3925504271.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                                              • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                              • API String ID: 3486561800-2679580386
                                                              • Opcode ID: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                                              • Instruction ID: 2e9b22e8cb94d114ab57fa925500967999958ebf182bde47e5e7f2d31677baea
                                                              • Opcode Fuzzy Hash: b1726d4115c593d66bb357bf89ab1e7ee1f9c93add6e05033f4287082a534528
                                                              • Instruction Fuzzy Hash: 23E0687290112432E670D1669C07FCF3E9CDB857F4F000220B688E60C4DAB4AAC4C6E0

                                                              Execution Graph

                                                              Execution Coverage:11.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 377 4710cd0 381 4710d32 377->381 379 4710ce7 392 4710cf9 379->392 382 4710d3e 381->382 383 4710d57 VirtualAlloc 382->383 386 4710d86 383->386 384 4710e28 MessageBoxA ExitProcess 385 4710e42 388 4710e70 VirtualFree 385->388 386->384 386->385 387 4710dc7 386->387 389 4710dd7 wsprintfA 387->389 390 4710de7 387->390 388->379 389->390 390->384 393 4710d29 392->393 394 4710d57 VirtualAlloc 393->394 397 4710d86 394->397 395 4710e28 MessageBoxA ExitProcess 396 4710e42 398 4710e70 VirtualFree 396->398 397->395 397->396 399 4710dc7 397->399 400 4710de7 399->400 401 4710e0c wsprintfA 399->401 400->395 401->400 402 47114c0 VirtualProtect 403 47114fb 402->403 404 47114ff VirtualProtect 402->404 403->404 405 4710063 406 4710067 405->406 407 47100c3 406->407 408 471006b VirtualAlloc 406->408 408->407 409 4710084 408->409 410 47100b5 VirtualFree 409->410 410->407 411 4711525 LoadLibraryA 412 4711547 GetProcAddress 413 471002a 414 471002c 413->414 415 47100c3 414->415 421 4710047 414->421 419 4710056 VirtualFree 419->415 422 471004b 421->422 423 471003b 422->423 424 4710056 VirtualFree 422->424 425 4710063 2 API calls 422->425 423->419 427 4710063 423->427 424->423 425->424 428 4710067 427->428 429 47100c3 428->429 430 471006b VirtualAlloc 428->430 429->419 430->429 431 4710084 430->431 432 47100b5 VirtualFree 431->432 432->429 433 4710c8d 434 4710caf 433->434 435 4710d57 VirtualAlloc 434->435 438 4710d86 435->438 436 4710e28 MessageBoxA ExitProcess 437 4710e42 440 4710e70 VirtualFree 437->440 438->436 438->437 439 4710dc7 438->439 441 4710de7 439->441 442 4710e0c wsprintfA 439->442 441->436 442->441 443 4710e9f 444 4710ea9 LoadLibraryA 443->444 445 4710ec1 444->445 445->444 446 4710ec7 GetProcAddress 445->446 447 4710ee4 445->447 446->445

                                                              Callgraph

                                                              Executed Functions

                                                              Function 04710C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04710D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04710E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04710E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04710E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 2c9dd46cf9686134bcd8465d4408e129fc0587f713d2416b3b3a6723df39e800
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 6F5103312057C58FDB368F24CC84ADB3BB5AF06304F09419EDD869B6A6EB34B818CB50
                                                              Function 04710CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04710D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04710E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04710E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04710E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04710E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: 81f42de33e08f78c1601f8ed2f0f5fd2bc383c776d99eafd827dbb30f61b8df7
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: 61418C322007469BEB34DF29CC84EEB73A5EF48355F044118EE46A7798EB70B955CB90
                                                              Function 04710D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04710D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04710E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04710E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04710E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04710E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: a6b36580d22fd4c26a6961609938a0eabdb25f74a4351e88f350dc6279e2fb90
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: A631A9322003869FEB389F29CC84FEB77A5AF48355F00411DEE4697A95EB70B814CB50
                                                              Function 047114C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 47114c0-47114f9 VirtualProtect 99 47114fb-47114fd 98->99 100 47114ff-4711517 VirtualProtect 98->100 99->100
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 047114EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0471150D
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: 7e56a9df98f4e51ecf5612cc5e013fa7e4570dc312fc51ecf998214a7cf9962b
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 2FF0E933240245AFEB098F68D885EEE7768DF48398B20006AF7029E286CA71E551C754
                                                              Function 04710063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 4710063-4710069 103 47100c3-47100c5 101->103 104 471006b-4710082 VirtualAlloc 101->104 105 47100c6-47100ca 103->105 104->103 106 4710084-47100b0 call 47100cd 104->106 109 47100b2-47100b4 106->109 110 47100b5-47100c1 VirtualFree 106->110 109->110 110->105
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0471007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 047100BE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: d8b898f0a42fc4ce432f4baba8389eeee95ebcbd13c5f1be8cd0385d593b33a7
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: D001F4722096417EE7314AA59C00F33BBDCDF08316F044C9AFAD5C15A0D922F5808B30
                                                              Function 0471002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 471002a-471002e 113 47100c3-47100c5 111->113 114 4710034-4710043 call 4710047 111->114 115 47100c6-47100ca 113->115 118 4710045-4710061 call 4710063 114->118 119 47100aa-47100b0 114->119 118->119 121 47100b2-47100b4 119->121 122 47100b5-47100c1 VirtualFree 119->122 121->122 122->115
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 047100BE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1436266774.0000000004710000.00000040.00001000.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4710000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: 956f17df4fc2b6097bdacbffc3e1b2349db9036a38f53b72c292ba346bb5c6fb
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 4EF0593225A38169F31067387D48A27BB98DB02229B050D97DC40D25B1DD11E98286A4

                                                              Executed Functions

                                                              Function 1000CCF2 Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 12010043
                                                              • API String ID: 0-1530405306
                                                              • Opcode ID: 244b7cbdff811d894f755473b4da469e1646f99ca6ba9c142f7eec193f4a55a6
                                                              • Instruction ID: d8f586cfb2acdd232f2dfe4693d98a20b48973cb1efe48d49be8cb568dbb4cca
                                                              • Opcode Fuzzy Hash: 244b7cbdff811d894f755473b4da469e1646f99ca6ba9c142f7eec193f4a55a6
                                                              • Instruction Fuzzy Hash:

                                                              Non-executed Functions

                                                              Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                              • VariantInit.OLEAUT32(?), ref: 1000734D
                                                              • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                              • VariantInit.OLEAUT32(?), ref: 10007377
                                                                • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                              • VariantInit.OLEAUT32(?), ref: 10007513
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant$ArrayCreateSafe
                                                              • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=5w
                                                              • API String ID: 2640012081-3861124693
                                                              • Opcode ID: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                              • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                              • Opcode Fuzzy Hash: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                              • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                              Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=5w$svchost.exe$svchost.exe -k NetworkService
                                                              • API String ID: 1927566239-4270180057
                                                              • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                              • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                              Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                              • Sleep.KERNEL32 ref: 10007059
                                                              • wsprintfA.USER32 ref: 1000709D
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000), ref: 100070D6
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000,?,00000000), ref: 100070E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FilePrintSleep$wsprintf
                                                              • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                              • API String ID: 1547040302-3813294871
                                                              • Opcode ID: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                              • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                              • Opcode Fuzzy Hash: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                              • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                              Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 1000574F
                                                              • wsprintfA.USER32 ref: 100057B1
                                                              • wsprintfA.USER32 ref: 100057C5
                                                              • PrintFile.08E2VWQYI0(?,?,00000000), ref: 100057E8
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$CreateFilePrintThread
                                                              • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                              • API String ID: 1788855648-1421401311
                                                              • Opcode ID: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                              • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                              • Opcode Fuzzy Hash: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                              • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                              Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 10005437
                                                              • wsprintfA.USER32 ref: 1000549E
                                                              • wsprintfA.USER32 ref: 100054BC
                                                              • PrintFile.08E2VWQYI0(?,?,10016594,?,00000000), ref: 100054DE
                                                              • wsprintfA.USER32 ref: 10005582
                                                              • Sleep.KERNEL32(000003E8,00000000,76C08400,?,40000000,00000001,00000000,00000002,00000000,00000000,7541C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                              Strings
                                                              • %s\%s, xrefs: 10005431
                                                              • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                              • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$FilePrintSleep
                                                              • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                              • API String ID: 518940211-4228670124
                                                              • Opcode ID: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                              • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                              • Opcode Fuzzy Hash: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                              • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                              Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf
                                                              • String ID: %s\%s$%s\version.txt$12010043$F896SD5DAE$M%s$host123.zz.am:6658
                                                              • API String ID: 2111968516-3890874662
                                                              • Opcode ID: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                              • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                              • Opcode Fuzzy Hash: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                              • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                              Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,0007D000,00000000,00000000), ref: 100065C8
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,0007D000,00000000,00000000), ref: 100065E6
                                                              • wsprintfA.USER32 ref: 100066E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                              • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                              • API String ID: 4077377486-2496724313
                                                              • Opcode ID: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                              • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                              • Opcode Fuzzy Hash: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                              • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                              Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseFormatQueryTimeValue___crt
                                                              • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                              • API String ID: 271660946-3893357082
                                                              • Opcode ID: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                              • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                              • Opcode Fuzzy Hash: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                              • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                              Function 10007F3E Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                              • API String ID: 0-2039984758
                                                              • Opcode ID: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                              • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                              • Opcode Fuzzy Hash: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                              • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                              Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                              • wsprintfA.USER32 ref: 100083E6
                                                              Strings
                                                              • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                              • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                              • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                              • 8.8.8.8, xrefs: 100083EF
                                                              • 127.0.0.1, xrefs: 100083F4
                                                              • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleepwsprintf
                                                              • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                              • API String ID: 1749205058-626475063
                                                              • Opcode ID: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                              • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                              • Opcode Fuzzy Hash: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                              • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                              Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                              • wsprintfA.USER32 ref: 10006D88
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                              Strings
                                                              • dtfd, xrefs: 10006DA6
                                                              • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                              • REG_SZ, xrefs: 10006D44
                                                              • %s "%s",DoAddToFavDlg, xrefs: 10006D82
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                              • String ID: %s "%s",DoAddToFavDlg$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                              • API String ID: 1762869224-3711648159
                                                              • Opcode ID: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                              • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                              • Opcode Fuzzy Hash: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                              • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                              Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                              • GetLastError.KERNEL32 ref: 10006AA8
                                                                • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                              • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                              • String ID: 0x5d65r455f$5762479093
                                                              • API String ID: 3244495550-2446933972
                                                              • Opcode ID: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                              • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                              • Opcode Fuzzy Hash: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                              • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                              Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00002710), ref: 1000857E
                                                              • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                              • API String ID: 3472027048-3516831565
                                                              • Opcode ID: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                              • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                              • Opcode Fuzzy Hash: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                              • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                              Function 10005F15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 10005F21
                                                                • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,?), ref: 10004132
                                                                • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                                • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?), ref: 10004064
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                              • String ID: %s\lang.ini
                                                              • API String ID: 3793502078-1858510373
                                                              • Opcode ID: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                              • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                              • Opcode Fuzzy Hash: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                              • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                              Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$http://$search
                                                              • API String ID: 1721638100-482061809
                                                              • Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                              • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                              • Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                              • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                              Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                              Strings
                                                              • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                              • svchsot.exe, xrefs: 10008524
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                              • API String ID: 3472027048-2214221337
                                                              • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                              • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                              Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf
                                                              • String ID: %s\%s$.$\*.*
                                                              • API String ID: 2111968516-2210278135
                                                              • Opcode ID: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                              • Instruction ID: 8eec4f815dbe1efa717b949f22b0b4cf07a5e7ea20f36989431d082c549aebfc
                                                              • Opcode Fuzzy Hash: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                              • Instruction Fuzzy Hash: D9315CB6C0425CBBEF12DFA4CC46EDE7B7DEB09380F0004A6F618A6051DB719B988B51
                                                              Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: $p=5w
                                                              • API String ID: 1927566239-2851331367
                                                              • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                              • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                              Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3088978518.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 0000000B.00000002.3088887387.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3089283708.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090215593.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090275197.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090340557.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 0000000B.00000002.3090387542.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$http://
                                                              • API String ID: 1721638100-679094439
                                                              • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                              • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                              • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                              • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

                                                              Execution Graph

                                                              Execution Coverage:11.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 408 3061547 GetProcAddress 409 3061525 LoadLibraryA 374 3060063 375 3060067 374->375 376 30600c3 375->376 377 306006b VirtualAlloc 375->377 377->376 379 3060084 377->379 378 30600b5 VirtualFree 378->376 379->378 380 30614c0 VirtualProtect 381 30614ff VirtualProtect 380->381 382 30614fb 380->382 382->381 383 3060cd0 387 3060d32 383->387 385 3060ce7 398 3060cf9 385->398 388 3060d3e 387->388 389 3060d57 VirtualAlloc 388->389 392 3060d86 389->392 390 3060e28 MessageBoxA ExitProcess 391 3060e42 393 3060e70 VirtualFree 391->393 392->390 392->391 394 3060dc7 392->394 393->385 395 3060dd7 wsprintfA 394->395 397 3060de7 394->397 395->397 397->390 399 3060d29 398->399 400 3060d57 VirtualAlloc 399->400 403 3060d86 400->403 401 3060e28 MessageBoxA ExitProcess 402 3060e42 404 3060e70 VirtualFree 402->404 403->401 403->402 405 3060dc7 403->405 406 3060e0c wsprintfA 405->406 407 3060de7 405->407 406->407 407->401 410 3060e9f 411 3060ea9 LoadLibraryA 410->411 412 3060ec1 411->412 412->411 413 3060ec7 GetProcAddress 412->413 414 3060ee4 412->414 413->412 415 3060c8d 416 3060caf 415->416 417 3060d57 VirtualAlloc 416->417 420 3060d86 417->420 418 3060e28 MessageBoxA ExitProcess 419 3060e42 421 3060e70 VirtualFree 419->421 420->418 420->419 422 3060dc7 420->422 423 3060e0c wsprintfA 422->423 424 3060de7 422->424 423->424 424->418 425 306002a 426 306002c 425->426 427 3060056 426->427 434 3060047 426->434 430 3060045 430->427 438 3060063 430->438 433 30600aa VirtualFree 433->427 435 306004b 434->435 436 306003b 435->436 437 3060063 2 API calls 435->437 436->430 436->433 437->436 439 3060067 438->439 440 30600c3 439->440 441 306006b VirtualAlloc 439->441 440->427 441->440 443 3060084 441->443 442 30600b5 VirtualFree 442->440 443->442

                                                              Callgraph

                                                              Executed Functions

                                                              Function 03060C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 16c203f210c199eec5e5c9761231a2c142e48a2dedc1432673bc71f2bf052f88
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 1251163114A7859FDB3ACF20CC40BDB7BB9AF46300F09419EDD469B29AEB34A814CB51
                                                              Function 03060CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03060E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: c056d92dc2c50a53340e63c12937258293b06f0db908cd31dce0f1f5f733f562
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: 1E419D362417169FEB38CF14CC44FEB73A5AF44351F044618ED469B689EB70B911CB90
                                                              Function 03060D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 03060D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 03060E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 03060E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 03060E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 03060E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: edcce62883e29a07068e50361eb99db082087d0211dd0322ef30be9d8e22b546
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: 1931A9362867469FDB38DF10CC80FEB77A9AF84351F04411DED469B689EB70A810CB50
                                                              Function 030614C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 30614c0-30614f9 VirtualProtect 99 30614ff-3061517 VirtualProtect 98->99 100 30614fb-30614fd 98->100 100->99
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 030614EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0306150D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: ec6bc77671bef2c5afc818fa0ad32a5b2d9c608e0d4405a18c85efd481e7501b
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 8DF0E933240245AFEB0D8F64D885EEE7768DF48398B20006AF7029A58ACA71D551C754
                                                              Function 03060063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 3060063-3060069 103 30600c3-30600c5 101->103 104 306006b-3060082 VirtualAlloc 101->104 105 30600c6-30600ca 103->105 104->103 106 3060084-30600b0 call 30600cd 104->106 109 30600b5-30600c1 VirtualFree 106->109 110 30600b2-30600b4 106->110 109->103 109->105 110->109
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0306007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030600BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: db82dc17b7b1d6a4d624b630e3cf66c1aafaf0859c2e8ef635d780305f46e239
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: C401817624AA017EF7718AA19C00F37BBDCDF48612F184C5AFAD5C5090DA26E4408B70
                                                              Function 0306002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 306002a-306002e 113 3060034-3060043 call 3060047 111->113 114 30600c3-30600c5 111->114 118 3060045-306004c 113->118 119 30600aa-30600b0 113->119 115 30600c6-30600ca 114->115 120 3060056-3060061 118->120 121 3060051 call 3060063 118->121 122 30600b5-30600c1 VirtualFree 119->122 123 30600b2-30600b4 119->123 120->114 121->120 122->114 122->115 123->122
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030600BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1518475643.0000000003060000.00000040.00001000.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_3060000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: ad643e6b4d9600eaa03acacfd0df492284276328b7da61fb7f972ab6bf2d4168
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 2EF0E92669FB1169F610E7347C44A67BBD8DB46221F150E97DC40D6095DD21D80286A4

                                                              Execution Graph

                                                              Execution Coverage:9.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 408 49c0c8d 409 49c0caf 408->409 410 49c0d57 VirtualAlloc 409->410 412 49c0d86 410->412 411 49c0e28 MessageBoxA ExitProcess 412->411 413 49c0e42 412->413 415 49c0dc7 412->415 414 49c0e70 VirtualFree 413->414 416 49c0e0c wsprintfA 415->416 417 49c0de7 415->417 416->417 417->411 418 49c0e9f 419 49c0ea9 LoadLibraryA 418->419 420 49c0ec1 419->420 420->419 421 49c0ec7 GetProcAddress 420->421 422 49c0ee4 420->422 421->420 423 49c002a 424 49c002c 423->424 429 49c0056 424->429 432 49c0047 424->432 427 49c00aa VirtualFree 427->429 428 49c0045 428->429 436 49c0063 428->436 433 49c004b 432->433 434 49c003b 433->434 435 49c0063 2 API calls 433->435 434->427 434->428 435->434 437 49c0067 436->437 438 49c006b VirtualAlloc 437->438 439 49c00c3 437->439 438->439 440 49c0084 438->440 439->429 441 49c00b5 VirtualFree 440->441 441->439 442 49c1525 LoadLibraryA 443 49c1547 GetProcAddress 374 49c0cd0 378 49c0d32 374->378 376 49c0ce7 389 49c0cf9 376->389 379 49c0d3e 378->379 380 49c0d57 VirtualAlloc 379->380 382 49c0d86 380->382 381 49c0e28 MessageBoxA ExitProcess 382->381 383 49c0e42 382->383 385 49c0dc7 382->385 384 49c0e70 VirtualFree 383->384 384->376 386 49c0dd7 wsprintfA 385->386 388 49c0de7 385->388 386->388 388->381 390 49c0d29 389->390 391 49c0d57 VirtualAlloc 390->391 393 49c0d86 391->393 392 49c0e28 MessageBoxA ExitProcess 393->392 394 49c0e42 393->394 396 49c0dc7 393->396 395 49c0e70 VirtualFree 394->395 397 49c0e0c wsprintfA 396->397 398 49c0de7 396->398 397->398 398->392 399 49c14c0 VirtualProtect 400 49c14ff VirtualProtect 399->400 401 49c14fb 399->401 401->400 402 49c0063 403 49c0067 402->403 404 49c006b VirtualAlloc 403->404 405 49c00c3 403->405 404->405 406 49c0084 404->406 407 49c00b5 VirtualFree 406->407 407->405

                                                              Callgraph

                                                              Executed Functions

                                                              Function 049C0C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 049C0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 049C0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 049C0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 049C0E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 865a378dbe3d9cbec3500cc9407edf980bccd2e6d76bdce4bc67525784654184
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 72510331145785CFEB368F60CC44ADB3BB9AF46304F0941AEDD869B296EB34B814CB52
                                                              Function 049C0CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 049C0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 049C0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 049C0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 049C0E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 049C0E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: e6dfc35ed3041f05538e6551e30aebb9b534e8d47c8c2072b8c46ba3b61349d3
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: F4418C32240706DBEB34DF54CC44EEB73A5AF48355F04412CEE4A97685EB70B8118B95
                                                              Function 049C0D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 049C0D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 049C0E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 049C0E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 049C0E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 049C0E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: 025160fcb745dfa36209bd7f0658cc70ca901b03d7b7836fbad8fff22b54fc94
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: AD319832240746DFEB399F90CC84EEB77A9AF84355F00412DEE4697285EB70B8208B56
                                                              Function 049C14C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 49c14c0-49c14f9 VirtualProtect 99 49c14ff-49c1517 VirtualProtect 98->99 100 49c14fb-49c14fd 98->100 100->99
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 049C14EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 049C150D
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: 493e329a4102c773fe98c61c4cda24348115e1597462ee8a589a65e54d89e816
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: EBF0E933240245AFEB098F64D885EEE7768DF48398B2000AAF7029A186CA71E551C754
                                                              Function 049C0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 49c0063-49c0069 103 49c006b-49c0082 VirtualAlloc 101->103 104 49c00c3-49c00c5 101->104 103->104 106 49c0084-49c00a4 103->106 105 49c00c6-49c00ca 104->105 107 49c00aa-49c00b0 106->107 108 49c00a5 call 49c00cd 106->108 109 49c00b5-49c00c1 VirtualFree 107->109 110 49c00b2-49c00b4 107->110 108->107 109->104 109->105 110->109
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 049C007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 049C00BE
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: 759de3f236402625561d78d08cdaaa424c9415d2497a27c242fe42d6cb3fac2f
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: 7F018C72209602BEE7318AA19C00F37BBECDF48616F144C6EFAD5C2090DA26E440DB72
                                                              Function 049C002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 49c002a-49c002e 113 49c0034-49c0043 call 49c0047 111->113 114 49c00c3-49c00c5 111->114 118 49c00aa-49c00b0 113->118 119 49c0045-49c004c 113->119 116 49c00c6-49c00ca 114->116 122 49c00b5-49c00c1 VirtualFree 118->122 123 49c00b2-49c00b4 118->123 120 49c0056-49c0061 119->120 121 49c0051 call 49c0063 119->121 120->114 121->120 122->114 122->116 123->122
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 049C00BE
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1500385010.00000000049C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_49c0000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: f7e3f06ac5f202597dff423c5c19e211ea0a0b015cf5ade9c5697f084d3e52d4
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 89F0E92264E311A9F610E7B47C44A27BB98EB4222AF160DBFDC40D6091DD11E902C6A6

                                                              Execution Graph

                                                              Execution Coverage:1.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:31
                                                              Total number of Limit Nodes:2
                                                              execution_graph 17314 4940cd0 17318 4940d32 17314->17318 17316 4940ce7 17329 4940cf9 17316->17329 17319 4940d3e 17318->17319 17320 4940d57 VirtualAlloc 17319->17320 17323 4940d86 17320->17323 17321 4940e28 MessageBoxA ExitProcess 17322 4940e42 17324 4940e70 VirtualFree 17322->17324 17323->17321 17323->17322 17325 4940dc7 17323->17325 17324->17316 17326 4940dd7 wsprintfA 17325->17326 17328 4940de7 17325->17328 17326->17328 17328->17321 17330 4940d29 17329->17330 17331 4940d57 VirtualAlloc 17330->17331 17334 4940d86 17331->17334 17332 4940e28 MessageBoxA ExitProcess 17333 4940e42 17335 4940e70 VirtualFree 17333->17335 17334->17332 17334->17333 17336 4940dc7 17334->17336 17337 4940e0c wsprintfA 17336->17337 17338 4940de7 17336->17338 17337->17338 17338->17332 17339 49414c0 VirtualProtect 17340 49414ff VirtualProtect 17339->17340 17341 49414fb 17339->17341 17341->17340 17342 4940063 17343 4940067 17342->17343 17344 494006b VirtualAlloc 17343->17344 17346 49400c3 17343->17346 17345 4940084 17344->17345 17344->17346 17347 49400b5 VirtualFree 17345->17347 17347->17346

                                                              Executed Functions

                                                              Function 04940C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04940D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04940E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04940E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04940E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 97e54e1bda7bbde43ddb9bcb4e37191b955044e5fa019b9a1545b89488e47bea
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: 5D51F3311057859FDB368F20CC54FDB3BB9AF86304F0941AADE869B296EB34B815CB51
                                                              Function 04940CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04940D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04940E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04940E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04940E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04940E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: 72cef57de616412d0069af583be13d4044099416f9fa6fe33701ca57c0d5b910
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: 2A417D322407469FEB38DF14CC48FEB73A5AF88355F044529EE4A97645EB70B925CB90
                                                              Function 04940D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 04940D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 04940E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 04940E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 04940E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04940E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: d96f9a8b4c2172372ca98e65763e4c23babdb30ed7e4aba61d2320920325b112
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: CB31AB322417469FEB399F10CC88FEB77A9AF85355F00412DEE4697685EB70B920CB50
                                                              Function 049414C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 137 49414c0-49414f9 VirtualProtect 138 49414ff-4941517 VirtualProtect 137->138 139 49414fb-49414fd 137->139 139->138
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 049414EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 0494150D
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: 13ba4dea0c425a21ffab38fee9b873d34075afb91ce07348e524a10eaf63868d
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 3AF0E933240245AFEB098F64D885EEE7768DF48398B20006AF7029A186CA71E551C754
                                                              Function 04940063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 179 4940063-4940069 181 49400c3-49400c5 179->181 182 494006b-4940082 VirtualAlloc 179->182 184 49400c6-49400ca 181->184 182->181 183 4940084-49400a4 182->183 185 49400aa-49400b0 183->185 186 49400a5 call 49400cd 183->186 187 49400b5-49400c1 VirtualFree 185->187 188 49400b2-49400b4 185->188 186->185 187->184 188->187
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0494007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 049400BE
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: e00e315d9a2adf3249a9bbce7fc259cbada2da7b56c2194d53272728bee51bbc
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: AE018C72209602BEE7315AA19C10F37BBECDF88616F144C6AFBD5C2090DA26E440DB70
                                                              Function 0494002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 189 494002a-494002e 191 4940034-4940043 call 4940047 189->191 192 49400c3-49400c5 189->192 196 4940045-4940061 call 4940063 191->196 197 49400aa-49400b0 191->197 194 49400c6-49400ca 192->194 196->197 199 49400b5-49400c1 VirtualFree 197->199 200 49400b2-49400b4 197->200 199->194 200->199
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 049400BE
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3407289657.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_4940000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: 840838c76310ac6cbce664d2cd3fa9f7f1a732ff89e37e43c521830c21d750a8
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: 5EF0E92264E31169F6247734FC58E27BB98DBC2229B150DB7DE40D6091DD15E802C6A4

                                                              Non-executed Functions

                                                              Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                              • VariantInit.OLEAUT32(?), ref: 1000734D
                                                              • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                              • VariantInit.OLEAUT32(?), ref: 10007377
                                                                • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                              • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                              • VariantInit.OLEAUT32(?), ref: 10007513
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant$ArrayCreateSafe
                                                              • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=5w
                                                              • API String ID: 2640012081-3861124693
                                                              • Opcode ID: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                              • Instruction ID: ecf29a1c47d91b81846b45f5da98bbb69cd4e5f42de0d6ad34227a81938465a8
                                                              • Opcode Fuzzy Hash: 771ce970c353409643c1e51f5a1a866829e869cd5479564b662196a77da70a54
                                                              • Instruction Fuzzy Hash: DAD17E70D00209EFEB15CFA4C8809EEBBB8FF49780F104419F419AB259DB75AA45CFA1
                                                              Function 10004D36 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 308COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=5w$svchost.exe$svchost.exe -k NetworkService
                                                              • API String ID: 1927566239-4270180057
                                                              • Opcode ID: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction ID: f681daf1cfe066dfb2c65bb1802d225618d831e3fba353d21c944956626e3e16
                                                              • Opcode Fuzzy Hash: b6f3bf19f9a655f11ce33ea3d1eef9f97ff5ff13253a98ebad0314bfa4936779
                                                              • Instruction Fuzzy Hash: 23A159B1900209AFEB04DFA4CC81DEEBBBDEF48394F104569F515AB295DB31AE45CB60
                                                              Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                              • Sleep.KERNEL32 ref: 10007059
                                                              • wsprintfA.USER32 ref: 1000709D
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000), ref: 100070D6
                                                              • PrintFile.08E2VWQYI0(00000000,?,00000000,?,00000000), ref: 100070E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FilePrintSleep$wsprintf
                                                              • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.254:23588/article.php$iOffset
                                                              • API String ID: 1547040302-3813294871
                                                              • Opcode ID: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                              • Instruction ID: e128ca64511400ca05deee7795c3814a468ccd3a13c6d035e862ae5cb279fd62
                                                              • Opcode Fuzzy Hash: 7c7c87d37a25e933c3930475f6f6c1f502c6fe5351302a316d4f9e37d4858cab
                                                              • Instruction Fuzzy Hash: AC51D9B6D04359E6FB22D764CC56FCF77ACEB083C1F1045A5F208EA086DA75AB808E55
                                                              Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 102filethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 1000574F
                                                              • wsprintfA.USER32 ref: 100057B1
                                                              • wsprintfA.USER32 ref: 100057C5
                                                              • PrintFile.08E2VWQYI0(?,?,00000000), ref: 100057E8
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$CreateFilePrintThread
                                                              • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                              • API String ID: 1788855648-1421401311
                                                              • Opcode ID: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                              • Instruction ID: 590dfccee83cd698aee2aff2a0aef7bd89598b4f0e32949fa848c193a7d694e7
                                                              • Opcode Fuzzy Hash: 6fb47a9fe862675510a1f075e21a27b9bead55373d009136fb6ced19a80d2edf
                                                              • Instruction Fuzzy Hash: 0531EA72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AA858A91
                                                              Function 100053B7 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 179sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 10005437
                                                              • wsprintfA.USER32 ref: 1000549E
                                                              • wsprintfA.USER32 ref: 100054BC
                                                              • PrintFile.08E2VWQYI0(?,?,10016594,?,00000000), ref: 100054DE
                                                              • wsprintfA.USER32 ref: 10005582
                                                              • Sleep.KERNEL32(000003E8,00000000,76C08400,?,40000000,00000001,00000000,00000002,00000000,00000000,7541C650,?,?,00000009,00000000,10016594), ref: 100055AE
                                                              Strings
                                                              • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                              • %s\%s, xrefs: 10005431
                                                              • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf$FilePrintSleep
                                                              • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$c:\windows\system32\drivers\%s
                                                              • API String ID: 518940211-4228670124
                                                              • Opcode ID: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                              • Instruction ID: 3567043749f32881e03762bb9a57e308b600a04db8eea4acb5e64ce7ea9520bd
                                                              • Opcode Fuzzy Hash: 39048bcfdf3bf410764be82e0f082a0a9eec60ddbb964b0eb01d8c58901bbfe8
                                                              • Instruction Fuzzy Hash: 9751C272900658BFEB11CB68CC45FEE73ADEB48341F1404A5FA08AB191DBB1FE858B50
                                                              Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf
                                                              • String ID: %s\%s$%s\version.txt$12010043$F896SD5DAE$M%s$host123.zz.am:6658
                                                              • API String ID: 2111968516-3890874662
                                                              • Opcode ID: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                              • Instruction ID: 32e0762688fea209a997a92a9e142d3ada4c65c650573aee4fc5e34dd7d3b294
                                                              • Opcode Fuzzy Hash: 3118e657eae3f5d2f61f4ee869a04ddae59cc99c3ba34e718331a143210d2a8d
                                                              • Instruction Fuzzy Hash: 961159356007197BF210E7919C45F5F7E9CDF896A6F01021DFB01AE181DB76F9818A72
                                                              Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 272timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,0007D000,00000000,00000000), ref: 100065C8
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,0007D000,00000000,00000000), ref: 100065E6
                                                              • wsprintfA.USER32 ref: 100066E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                              • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                              • API String ID: 4077377486-2496724313
                                                              • Opcode ID: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                              • Instruction ID: 9bb45785208bde0406de56643d62444fa716b577ceefe44749a59ab2aa42cbd8
                                                              • Opcode Fuzzy Hash: 5ec698da00dc29de8f7ffc8bf67f0a9d9225dbf0750770383525da2cc9019453
                                                              • Instruction Fuzzy Hash: 9C81E5B5C05248BEFB01DBA4DC82EEF7B7EEF09394F244059F504A7186DA356E4187A1
                                                              Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseFormatQueryTimeValue___crt
                                                              • String ID: %u MB$12010043$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.254:23588/article.php
                                                              • API String ID: 271660946-3893357082
                                                              • Opcode ID: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                              • Instruction ID: 4f35d1d9e5d3edf0c8f7125bb17b53cb037807f44d0344e2d1e4939474d77481
                                                              • Opcode Fuzzy Hash: 6ebe894f3437417800d54ef2792eb82f2068fe9e67a777853d7c8d0efda6717d
                                                              • Instruction Fuzzy Hash: 6531C0B6804208BAFB10C764DC42FDF77BCEB08351F10406AFA18BA082EB75BA458B55
                                                              Function 10007F3E Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s\%s$*.*$.$107.160.131.254:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                              • API String ID: 0-2039984758
                                                              • Opcode ID: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                              • Instruction ID: 154fd83921e69bd95517e48f0429fd4d3315e101fc3602ca34ca7394d0d5f03d
                                                              • Opcode Fuzzy Hash: bd2d39ad8c3f066515e4f40e719d80e45a5746cb50308c2dc9da521a7abe9638
                                                              • Instruction Fuzzy Hash: C371517690425DBEEB61D7A4DC45FEEB7BCEB48240F1004E6F608E6041DB74AB898F61
                                                              Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00080000,00000000,00000000), ref: 10008394
                                                              • wsprintfA.USER32 ref: 100083E6
                                                              Strings
                                                              • http://107.160.131.254:23588/article.php, xrefs: 10008353
                                                              • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                              • 127.0.0.1, xrefs: 100083F4
                                                              • 8.8.8.8, xrefs: 100083EF
                                                              • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                              • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleepwsprintf
                                                              • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.254:23588/article.php
                                                              • API String ID: 1749205058-626475063
                                                              • Opcode ID: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                              • Instruction ID: 78e0688a60563a7bb1736696f6623559e09cac3deedd02f0104af55f58a5e4a8
                                                              • Opcode Fuzzy Hash: 9f7dfab18579cecf97e90eb8dea0a0d842579079791f42c3668da9ca524ab5bf
                                                              • Instruction Fuzzy Hash: 9E4106B6D04258B6F721D364CC46FCF77ACEB457C0F2400A6F248A9086EAB4AB848E51
                                                              Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                              • wsprintfA.USER32 ref: 10006D88
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                              Strings
                                                              • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                              • dtfd, xrefs: 10006DA6
                                                              • REG_SZ, xrefs: 10006D44
                                                              • %s "%s",DoAddToFavDlg, xrefs: 10006D82
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                              • String ID: %s "%s",DoAddToFavDlg$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$dtfd
                                                              • API String ID: 1762869224-3711648159
                                                              • Opcode ID: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                              • Instruction ID: 20d4b35ab7fa00c236079ec8a4dd8982143edab80ee48f6a2419757257224b01
                                                              • Opcode Fuzzy Hash: 61d0bd0e05473ddd948e32944040b939d5f1ffa9c41235ae9aa68812b1daf432
                                                              • Instruction Fuzzy Hash: 451160B694415CBEFB11D7A4DC86FEA776CEB14340F1404A1F704FA085DAB16F988AA4
                                                              Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58sleepthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                                              • GetLastError.KERNEL32 ref: 10006AA8
                                                                • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                              • Sleep.KERNEL32(0002BF20,00000000,00000000,00000000,00000000,000000FF), ref: 10006ADD
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                              • String ID: 0x5d65r455f$5762479093
                                                              • API String ID: 3244495550-2446933972
                                                              • Opcode ID: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                              • Instruction ID: bd1adab126fe453b34de0ea9e0b5f284958d10fa0a203dc352c1be2a30225ce5
                                                              • Opcode Fuzzy Hash: 19283e5acea808ec0441168ab06e47d1eb0b849edc2e8a1a8406e88d778b2533
                                                              • Instruction Fuzzy Hash: 9701F2A4844228BAF211F3704CCADBF395DDB563D4F200528F915A908BDB24EC0145B3
                                                              Function 10008567 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00002710), ref: 1000857E
                                                              • Sleep.KERNEL32(001B7740,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$wINsTA0\dEFauLT
                                                              • API String ID: 3472027048-3516831565
                                                              • Opcode ID: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                              • Instruction ID: 69b21accf233d090089117fd856bc82e5cd65d02c06b2ff4ec7ccf08b8a7457c
                                                              • Opcode Fuzzy Hash: a435b5dfb969170efa786a49c8884d6de8dbe2a3431997f47b479d14d9b9b80c
                                                              • Instruction Fuzzy Hash: 6421817680525CBAEB11EBE4CC46EDFBB7CEF08390F1400A9F604BB151DB765A458B91
                                                              Function 10005F15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 10005F21
                                                                • Part of subcall function 10004126: OpenProcessToken.ADVAPI32(00000028,00000028,00000028,10005F32,00000000,00000028,?), ref: 10004132
                                                                • Part of subcall function 100040F1: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 100040FD
                                                              • ___crtGetTimeFormatEx.LIBCMT ref: 10005F79
                                                                • Part of subcall function 1000404F: AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?), ref: 10004064
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProcessTimerToken$AdjustConcurrency::details::platform::__CreateCurrentFormatLookupOpenPrivilegePrivilegesQueueTimeValue___crt
                                                              • String ID: %s\lang.ini
                                                              • API String ID: 3793502078-1858510373
                                                              • Opcode ID: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                              • Instruction ID: ec7a4272703c46c275716bc18e38bfb45c62e376eb564a1a1e1e8047e794edd2
                                                              • Opcode Fuzzy Hash: 943eacc63be365ee390a7fa6fdfefc3784325c993301e913e17fb999f353862f
                                                              • Instruction Fuzzy Hash: FE21BDB6D00119BEEB10DAA4CC02FEF7BBCDF04790F104021FA04E6185EA75AB809AE1
                                                              Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$http://$search
                                                              • API String ID: 1721638100-482061809
                                                              • Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                              • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                              • Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                              • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                              Function 1000841C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 119sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(?,00000800,?,?,?,svchsot.exe,?,?,?,?,00000000,?,?,?), ref: 1000855C
                                                              Strings
                                                              • svchsot.exe, xrefs: 10008524
                                                              • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                              • API String ID: 3472027048-2214221337
                                                              • Opcode ID: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction ID: e8defaa02cb337ec462540d7064ad22b690c993f3d196736069eab589a90189d
                                                              • Opcode Fuzzy Hash: d2131fb9256a9d085b7213a385e4fb7e2e0d0505dace0aeb26e32ec0842a8d4a
                                                              • Instruction Fuzzy Hash: EE314D7290015DBEEB01DBA4CD81DEFB7FDFB48284F1440A6F644E6105EA30AF858BA1
                                                              Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: wsprintf
                                                              • String ID: %s\%s$.$\*.*
                                                              • API String ID: 2111968516-2210278135
                                                              • Opcode ID: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                              • Instruction ID: 8eec4f815dbe1efa717b949f22b0b4cf07a5e7ea20f36989431d082c549aebfc
                                                              • Opcode Fuzzy Hash: 4f2de8578788dcd6f15c30ab244c025409ca5a520a2ed8ecc6f1cbb160d50d59
                                                              • Instruction Fuzzy Hash: D9315CB6C0425CBBEF12DFA4CC46EDE7B7DEB09380F0004A6F618A6051DB719B988B51
                                                              Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID: $p=5w
                                                              • API String ID: 1927566239-2851331367
                                                              • Opcode ID: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction ID: ef89c2eb01536c9538a48ebd5608185a951f11054c82c4a53c762a0a2007c409
                                                              • Opcode Fuzzy Hash: d0ca9816adfda9363097ead228823b8de7426d0966cf0e74972078de5e0d5c66
                                                              • Instruction Fuzzy Hash: AB41A475D002599FEF14DFA4C884AEEB7F8FF05284F10446DE91AA3245DB38AE48CB61
                                                              Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                              • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.3408422372.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000013.00000002.3408336431.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408499837.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408596428.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408656520.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408775433.000000001003D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000013.00000002.3408900426.000000001004F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                              • String ID: %s\lang.ini$http://
                                                              • API String ID: 1721638100-679094439
                                                              • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                              • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                              • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                              • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

                                                              Execution Graph

                                                              Execution Coverage:9.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:63
                                                              Total number of Limit Nodes:3
                                                              execution_graph 408 2d9002a 409 2d9002c 408->409 410 2d90056 409->410 417 2d90047 409->417 413 2d90045 413->410 421 2d90063 413->421 415 2d900aa VirtualFree 415->410 418 2d9004b 417->418 419 2d9003b 418->419 420 2d90063 2 API calls 418->420 419->413 419->415 420->419 422 2d90067 421->422 423 2d9006b VirtualAlloc 422->423 424 2d900c3 422->424 423->424 425 2d90084 423->425 424->410 426 2d900b5 VirtualFree 425->426 426->424 427 2d90c8d 428 2d90caf 427->428 429 2d90d57 VirtualAlloc 428->429 431 2d90d86 429->431 430 2d90e28 MessageBoxA ExitProcess 431->430 432 2d90e42 431->432 434 2d90dc7 431->434 433 2d90e70 VirtualFree 432->433 435 2d90e0c wsprintfA 434->435 436 2d90de7 434->436 435->436 436->430 437 2d90e9f 438 2d90ea9 LoadLibraryA 437->438 439 2d90ec1 438->439 439->438 440 2d90ec7 GetProcAddress 439->440 441 2d90ee4 439->441 440->439 374 2d90cd0 378 2d90d32 374->378 376 2d90ce7 389 2d90cf9 376->389 379 2d90d3e 378->379 380 2d90d57 VirtualAlloc 379->380 382 2d90d86 380->382 381 2d90e28 MessageBoxA ExitProcess 382->381 383 2d90e42 382->383 385 2d90dc7 382->385 384 2d90e70 VirtualFree 383->384 384->376 386 2d90dd7 wsprintfA 385->386 388 2d90de7 385->388 386->388 388->381 390 2d90d29 389->390 391 2d90d57 VirtualAlloc 390->391 393 2d90d86 391->393 392 2d90e28 MessageBoxA ExitProcess 393->392 394 2d90e42 393->394 396 2d90dc7 393->396 395 2d90e70 VirtualFree 394->395 397 2d90e0c wsprintfA 396->397 398 2d90de7 396->398 397->398 398->392 399 2d914c0 VirtualProtect 400 2d914fb 399->400 401 2d914ff VirtualProtect 399->401 400->401 402 2d90063 403 2d90067 402->403 404 2d9006b VirtualAlloc 403->404 405 2d900c3 403->405 404->405 406 2d90084 404->406 407 2d900b5 VirtualFree 406->407 407->405 442 2d91525 LoadLibraryA 443 2d91547 GetProcAddress

                                                              Callgraph

                                                              Executed Functions

                                                              Function 02D90C8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02D90D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02D90E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02D90E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02D90E3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: AllocExitMessageProcessVirtualwsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 1926473177-4283279704
                                                              • Opcode ID: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction ID: 5d7e4e797c9aa0d490a3e353615793f30f98b0299f852dea113c3958edef2229
                                                              • Opcode Fuzzy Hash: cc50955b1b3b8c90b3c42dad072ac0ae91170c06dcfb767a7f19b4557c02c924
                                                              • Instruction Fuzzy Hash: B651E3311057859FDB368F24CC40BEB3BB9AF06305F09419AED869B296EB34AC15CB61
                                                              Function 02D90CF9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02D90D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02D90E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02D90E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02D90E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02D90E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction ID: 3fe8e0c115d4c9b630a4ebb3d05befbe9ff757164832f39346f73086e9663a86
                                                              • Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
                                                              • Instruction Fuzzy Hash: EA4159322407069BEB389F14DC44BEB73A9EF48356F044219EE4AA7784EB71E911CB90
                                                              Function 02D90D32 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?), ref: 02D90D78
                                                              • wsprintfA.USER32(?,?,?,?), ref: 02D90E1C
                                                              • MessageBoxA.USER32(00000000,?,?,00000010), ref: 02D90E34
                                                              • ExitProcess.KERNEL32(00000000), ref: 02D90E3C
                                                              • VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 02D90E85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocExitFreeMessageProcesswsprintf
                                                              • String ID: Application error$SWVU$The procedure %s could not be located in the DLL %s.
                                                              • API String ID: 3261521767-4283279704
                                                              • Opcode ID: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction ID: 34ebfa8a025d5704790a204aa2da11c1f23b79fc2b34201f2f2da1874347e7bc
                                                              • Opcode Fuzzy Hash: f3f4ceec5dac74f6035a517ed20072721e7ea1b7e2d6ae06b7b7f5dbf5df774f
                                                              • Instruction Fuzzy Hash: 0931863224174A9FDB399F10DC84FEB77AAEF45352F004219EE4A97685EB70A810CB60
                                                              Function 02D914C0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 98 2d914c0-2d914f9 VirtualProtect 99 2d914fb-2d914fd 98->99 100 2d914ff-2d91517 VirtualProtect 98->100 99->100
                                                              APIs
                                                              • VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 02D914EF
                                                              • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 02D9150D
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction ID: be39143ebcefc20333094dda4ff7f37f30657ab932889259c39861b6675ef7d6
                                                              • Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
                                                              • Instruction Fuzzy Hash: 2DF0E933340245AFEF098F64D885EEE7768DF49398B20006AF7029A286CA71D551C754
                                                              Function 02D90063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 101 2d90063-2d90069 103 2d9006b-2d90082 VirtualAlloc 101->103 104 2d900c3-2d900c5 101->104 103->104 105 2d90084-2d900a4 103->105 106 2d900c6-2d900ca 104->106 107 2d900aa-2d900b0 105->107 108 2d900a5 call 2d900cd 105->108 109 2d900b2-2d900b4 107->109 110 2d900b5-2d900c1 VirtualFree 107->110 108->107 109->110 110->104 110->106
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D9007E
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 02D900BE
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: Virtual$AllocFree
                                                              • String ID:
                                                              • API String ID: 2087232378-0
                                                              • Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction ID: 4d803958fd30ddc7db044aa23e6e14465ffc97820af5b8224733637e05c92d2e
                                                              • Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
                                                              • Instruction Fuzzy Hash: D501A4722096117EEB315AA1AC01F37BBDCDF48712F244C5AFAD9C2190DA25E840DB70
                                                              Function 02D9002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 2d9002a-2d9002e 113 2d900c3-2d900c5 111->113 114 2d90034-2d90043 call 2d90047 111->114 116 2d900c6-2d900ca 113->116 118 2d900aa-2d900b0 114->118 119 2d90045-2d9004c 114->119 122 2d900b2-2d900b4 118->122 123 2d900b5-2d900c1 VirtualFree 118->123 120 2d90056-2d90061 119->120 121 2d90051 call 2d90063 119->121 120->113 121->120 122->123 123->113 123->116
                                                              APIs
                                                              • VirtualFree.KERNELBASE(00000000,?,00004000), ref: 02D900BE
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.1751321939.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2d90000_rundll32.jbxd
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction ID: a55852334d7d689a6f1afac4a48ba1638253471489ae18406073c2e781ae4d9c
                                                              • Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
                                                              • Instruction Fuzzy Hash: D9F0E93254A31169FB1077347C49A27BB99DB42327F250997FC44D7191DD11DC42DAB4