Edit tour

Windows Analysis Report
7sAylAXBOb.exe

Overview

General Information

Sample name:	7sAylAXBOb.exe renamed because original name is a hash value
Original sample name:	c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526.exe
Analysis ID:	1467010
MD5:	85179ac6aec3b32a40b06f35cfc6594b
SHA1:	6700b84fa70c4b5ccab8688db32ac71a2aafeeb6
SHA256:	c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526
Tags:	exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7sAylAXBOb.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\7sAylAXBOb.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

akk3nwj1mabelfu4.exe (PID: 5776 cmdline: "C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

nlsxqvtcr.exe (PID: 1688 cmdline: "C:\zqzhokrkxswikv\nlsxqvtcr.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

nlsxqvtcr.exe (PID: 660 cmdline: C:\zqzhokrkxswikv\nlsxqvtcr.exe MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

gyyuuofs.exe (PID: 3104 cmdline: lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

nlsxqvtcr.exe (PID: 4536 cmdline: "c:\zqzhokrkxswikv\nlsxqvtcr.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

gyyuuofs.exe (PID: 4600 cmdline: lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe" MD5: 85179AC6AEC3B32A40B06F35CFC6594B)

svchost.exe (PID: 2148 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 2148, ProcessName: svchost.exe

Snort Signatures

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.246.200.160 - Destination IP: 192.168.2.9

Timestamp:	07/03/24-16:25:11.482211
SID:	2037771
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net) - Source IP: 1.1.1.1 - Destination IP: 192.168.2.9

Timestamp:	07/03/24-16:25:12.587584
SID:	2811542
Source Port:	53
Destination Port:	58330
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 3.94.10.34 - Destination IP: 192.168.2.9

Timestamp:	07/03/24-16:25:12.567884
SID:	2037771
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.9 - Destination IP: 77.247.183.155

Timestamp:	07/03/24-16:25:06.455531
SID:	2815568
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.9 - Destination IP: 77.247.183.155

Timestamp:	07/03/24-16:26:32.618956
SID:	2815568
Source Port:	53879
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 1.1.1.1 - Destination IP: 192.168.2.9

Timestamp:	07/03/24-16:25:09.738416
SID:	2018316
Source Port:	53
Destination Port:	50077
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 44.221.84.105 - Destination IP: 192.168.2.9

Timestamp:	07/03/24-16:25:17.978035
SID:	2037771
Source Port:	80
Destination Port:	53875
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7sAylAXBOb.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	ReversingLabs: Detection: 86%
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	ReversingLabs: Detection: 86%
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 7sAylAXBOb.exe

ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Joe Sandbox ML: detected
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Joe Sandbox ML: detected
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7sAylAXBOb.exe

Joe Sandbox ML: detected

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E4BA80 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		2_2_00E4BA80
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_0078BA80 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		3_2_0078BA80

Source: 7sAylAXBOb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7sAylAXBOb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_00655250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00655250
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E45250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00E45250
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_00785250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00785250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E35250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00E35250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FF5250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00FF5250

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2815568 ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort 192.168.2.9:49706 -> 77.247.183.155:80
Source: Traffic	Snort IDS: 2018316 ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses 1.1.1.1:53 -> 192.168.2.9:50077
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.246.200.160:80 -> 192.168.2.9:49710
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 3.94.10.34:80 -> 192.168.2.9:49711
Source: Traffic	Snort IDS: 2811542 ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net) 1.1.1.1:53 -> 192.168.2.9:58330
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 44.221.84.105:80 -> 192.168.2.9:53875
Source: Traffic	Snort IDS: 2815568 ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort 192.168.2.9:53879 -> 77.247.183.155:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: familywhose.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettewithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eithercomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinewithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familyprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinenature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englisharound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familybicycle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherbridge.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becauseprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectcomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personnature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishkitchen.net replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: becausecomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becauseenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausenature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machineprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherbicycle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectgovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetheraround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddengovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familyexcept.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitheraround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherwhose.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figurecomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturewelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinearound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familywagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: persongovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightcomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familywelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pictureprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figurewelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinewagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becauseneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pictureproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettearound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignnature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishbicycle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familycomplete.net replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: englishcomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishexcept.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrencomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personcomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherexcept.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becauseproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausewelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whethernature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturekitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thougharound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinewelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettewhose.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturewithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausewithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectnature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenbridge.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigaretteproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whethercomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rightaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreigncomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinegovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigaretteprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familywithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughcomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturearound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machineenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figureproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familyproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausegovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figureprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettewagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishwhose.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinekitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddennature.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturewagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreigngovern.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eitherwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machineproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: picturecomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausearound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figurewagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenkitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenwhose.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: familyaround.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: personenough.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figurearound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: childrenexcept.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettekitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suddenneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignwagon.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettewelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foreignproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: becausekitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: englishprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherwelcome.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectprobable.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectwithout.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machineneedle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whetherproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: figurekitchen.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: machinecomplete.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: expectproud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cigarettecomplete.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familybridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: childrenbicycle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishbridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: becausewagon.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: figurewithout.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughprobable.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familykitchen.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: suddencomplete.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishproud.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familybridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: childrenbicycle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishbridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: becausewagon.net

Source: Joe Sandbox View	IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View	IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View	IP Address: 34.205.242.146 34.205.242.146

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: NFORCENL NFORCENL
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00640D90 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

0_2_00640D90

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familybridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: childrenbicycle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishbridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: becausewagon.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: figurewithout.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughprobable.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familykitchen.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: suddencomplete.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishproud.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: familybridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: childrenbicycle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: englishbridge.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: becausewagon.net

Source: global traffic	DNS traffic detected: DNS query: cigarettewhose.net
Source: global traffic	DNS traffic detected: DNS query: childrenexcept.net
Source: global traffic	DNS traffic detected: DNS query: familyexcept.net
Source: global traffic	DNS traffic detected: DNS query: childrenbridge.net
Source: global traffic	DNS traffic detected: DNS query: familybridge.net
Source: global traffic	DNS traffic detected: DNS query: childrenbicycle.net
Source: global traffic	DNS traffic detected: DNS query: familybicycle.net
Source: global traffic	DNS traffic detected: DNS query: childrenwhose.net
Source: global traffic	DNS traffic detected: DNS query: familywhose.net
Source: global traffic	DNS traffic detected: DNS query: eitherexcept.net
Source: global traffic	DNS traffic detected: DNS query: englishexcept.net
Source: global traffic	DNS traffic detected: DNS query: eitherbridge.net
Source: global traffic	DNS traffic detected: DNS query: englishbridge.net
Source: global traffic	DNS traffic detected: DNS query: eitherbicycle.net
Source: global traffic	DNS traffic detected: DNS query: englishbicycle.net
Source: global traffic	DNS traffic detected: DNS query: eitherwhose.net
Source: global traffic	DNS traffic detected: DNS query: englishwhose.net
Source: global traffic	DNS traffic detected: DNS query: expectwagon.net
Source: global traffic	DNS traffic detected: DNS query: becausewagon.net
Source: global traffic	DNS traffic detected: DNS query: expectwithout.net
Source: global traffic	DNS traffic detected: DNS query: becausewithout.net
Source: global traffic	DNS traffic detected: DNS query: expectkitchen.net
Source: global traffic	DNS traffic detected: DNS query: becausekitchen.net
Source: global traffic	DNS traffic detected: DNS query: expectprobable.net
Source: global traffic	DNS traffic detected: DNS query: becauseprobable.net
Source: global traffic	DNS traffic detected: DNS query: personwagon.net
Source: global traffic	DNS traffic detected: DNS query: machinewagon.net
Source: global traffic	DNS traffic detected: DNS query: personwithout.net
Source: global traffic	DNS traffic detected: DNS query: machinewithout.net
Source: global traffic	DNS traffic detected: DNS query: personkitchen.net
Source: global traffic	DNS traffic detected: DNS query: machinekitchen.net
Source: global traffic	DNS traffic detected: DNS query: personprobable.net
Source: global traffic	DNS traffic detected: DNS query: machineprobable.net
Source: global traffic	DNS traffic detected: DNS query: suddenwagon.net
Source: global traffic	DNS traffic detected: DNS query: foreignwagon.net
Source: global traffic	DNS traffic detected: DNS query: suddenwithout.net
Source: global traffic	DNS traffic detected: DNS query: foreignwithout.net
Source: global traffic	DNS traffic detected: DNS query: suddenkitchen.net
Source: global traffic	DNS traffic detected: DNS query: foreignkitchen.net
Source: global traffic	DNS traffic detected: DNS query: suddenprobable.net
Source: global traffic	DNS traffic detected: DNS query: foreignprobable.net
Source: global traffic	DNS traffic detected: DNS query: whetherwagon.net
Source: global traffic	DNS traffic detected: DNS query: rightwagon.net
Source: global traffic	DNS traffic detected: DNS query: whetherwithout.net
Source: global traffic	DNS traffic detected: DNS query: rightwithout.net
Source: global traffic	DNS traffic detected: DNS query: whetherkitchen.net
Source: global traffic	DNS traffic detected: DNS query: rightkitchen.net
Source: global traffic	DNS traffic detected: DNS query: whetherprobable.net
Source: global traffic	DNS traffic detected: DNS query: rightprobable.net
Source: global traffic	DNS traffic detected: DNS query: figurewagon.net
Source: global traffic	DNS traffic detected: DNS query: thoughwagon.net
Source: global traffic	DNS traffic detected: DNS query: figurewithout.net
Source: global traffic	DNS traffic detected: DNS query: thoughwithout.net
Source: global traffic	DNS traffic detected: DNS query: figurekitchen.net
Source: global traffic	DNS traffic detected: DNS query: thoughkitchen.net
Source: global traffic	DNS traffic detected: DNS query: figureprobable.net
Source: global traffic	DNS traffic detected: DNS query: thoughprobable.net
Source: global traffic	DNS traffic detected: DNS query: picturewagon.net
Source: global traffic	DNS traffic detected: DNS query: cigarettewagon.net
Source: global traffic	DNS traffic detected: DNS query: picturewithout.net
Source: global traffic	DNS traffic detected: DNS query: cigarettewithout.net
Source: global traffic	DNS traffic detected: DNS query: picturekitchen.net
Source: global traffic	DNS traffic detected: DNS query: cigarettekitchen.net
Source: global traffic	DNS traffic detected: DNS query: pictureprobable.net
Source: global traffic	DNS traffic detected: DNS query: cigaretteprobable.net
Source: global traffic	DNS traffic detected: DNS query: childrenwagon.net
Source: global traffic	DNS traffic detected: DNS query: familywagon.net
Source: global traffic	DNS traffic detected: DNS query: childrenwithout.net
Source: global traffic	DNS traffic detected: DNS query: familywithout.net
Source: global traffic	DNS traffic detected: DNS query: childrenkitchen.net
Source: global traffic	DNS traffic detected: DNS query: familykitchen.net
Source: global traffic	DNS traffic detected: DNS query: childrenprobable.net
Source: global traffic	DNS traffic detected: DNS query: familyprobable.net
Source: global traffic	DNS traffic detected: DNS query: eitherwagon.net
Source: global traffic	DNS traffic detected: DNS query: englishwagon.net
Source: global traffic	DNS traffic detected: DNS query: eitherwithout.net
Source: global traffic	DNS traffic detected: DNS query: englishwithout.net
Source: global traffic	DNS traffic detected: DNS query: eitherkitchen.net
Source: global traffic	DNS traffic detected: DNS query: englishkitchen.net
Source: global traffic	DNS traffic detected: DNS query: eitherprobable.net
Source: global traffic	DNS traffic detected: DNS query: englishprobable.net
Source: global traffic	DNS traffic detected: DNS query: expectwelcome.net
Source: global traffic	DNS traffic detected: DNS query: becausewelcome.net
Source: global traffic	DNS traffic detected: DNS query: expectaround.net
Source: global traffic	DNS traffic detected: DNS query: becausearound.net
Source: global traffic	DNS traffic detected: DNS query: expectproud.net
Source: global traffic	DNS traffic detected: DNS query: becauseproud.net
Source: global traffic	DNS traffic detected: DNS query: expectcomplete.net
Source: global traffic	DNS traffic detected: DNS query: becausecomplete.net
Source: global traffic	DNS traffic detected: DNS query: personwelcome.net
Source: global traffic	DNS traffic detected: DNS query: machinewelcome.net
Source: global traffic	DNS traffic detected: DNS query: personaround.net
Source: global traffic	DNS traffic detected: DNS query: machinearound.net
Source: global traffic	DNS traffic detected: DNS query: personproud.net
Source: global traffic	DNS traffic detected: DNS query: machineproud.net
Source: global traffic	DNS traffic detected: DNS query: personcomplete.net
Source: global traffic	DNS traffic detected: DNS query: machinecomplete.net
Source: global traffic	DNS traffic detected: DNS query: suddenwelcome.net
Source: global traffic	DNS traffic detected: DNS query: foreignwelcome.net
Source: global traffic	DNS traffic detected: DNS query: suddenaround.net

Source: nlsxqvtcr.exe, 0000000C.00000002.2589785877.00000000020DD000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsI

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	File created: C:\Windows\zqzhokrkxswikv\	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb	Jump to behavior

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

File deleted: C:\Windows\zqzhokrkxswikv\tpcbuesrb

Jump to behavior

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_00650EE7	0_2_00650EE7
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_00650F01	0_2_00650F01
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_006497C0	0_2_006497C0
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E397C0	2_2_00E397C0
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_00780F01	3_2_00780F01
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_007797C0	3_2_007797C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E297C0	4_2_00E297C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FF0EE7	13_2_00FF0EE7
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FE97C0	13_2_00FE97C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FF0F01	13_2_00FF0F01

Source: 7sAylAXBOb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.winEXE@13/5@202/9

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00669A20
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00E59A20
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00799A20
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00E49A20
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	13_2_01009A20

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_006625D5 CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_006625D5

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00669A20 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00669A20

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_0064BB60 StartServiceCtrlDispatcherA,	0_2_0064BB60
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E3BB60 StartServiceCtrlDispatcherA,	2_2_00E3BB60
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_0077BB60 StartServiceCtrlDispatcherA,	3_2_0077BB60
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E2BB60 StartServiceCtrlDispatcherA,	4_2_00E2BB60
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FEBB60 StartServiceCtrlDispatcherA,	13_2_00FEBB60

Source: C:\zqzhokrkxswikv\gyyuuofs.exe

Mutant created: NULL

Source: 7sAylAXBOb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7sAylAXBOb.exe

ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

File read: C:\Users\user\Desktop\7sAylAXBOb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7sAylAXBOb.exe "C:\Users\user\Desktop\7sAylAXBOb.exe"
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Process created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe "C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe"
Source: unknown	Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe C:\zqzhokrkxswikv\nlsxqvtcr.exe
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "C:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Process created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe "C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe"	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "C:\zqzhokrkxswikv\nlsxqvtcr.exe"	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "c:\zqzhokrkxswikv\nlsxqvtcr.exe"	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 7sAylAXBOb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00631338 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,Sleep,Sleep,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,SetFileAttributesA,GetCommandLineA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,MessageBoxA,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,CreateThread,Sleep,

0_2_00631338

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_0064EF03 push ecx; iretd	0_2_0064EF10
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_006713F0 push eax; ret	0_2_00671404
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_006713F0 push eax; ret	0_2_0067142C
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E613F0 push eax; ret	2_2_00E61404
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E613F0 push eax; ret	2_2_00E6142C
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E3EF04 push ecx; iretd	2_2_00E3EF10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_0077EF0A push ecx; iretd	3_2_0077EF10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_007A13F0 push eax; ret	3_2_007A1404
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_007A13F0 push eax; ret	3_2_007A142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E513F0 push eax; ret	4_2_00E51404
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E513F0 push eax; ret	4_2_00E5142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E2EF04 push ecx; iretd	4_2_00E2EF10
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_010113F0 push eax; ret	13_2_01011404
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_010113F0 push eax; ret	13_2_0101142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FEEF0A push ecx; iretd	13_2_00FEEF10

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	File created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Jump to dropped file
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	File created: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Jump to dropped file
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	File created: C:\zqzhokrkxswikv\gyyuuofs.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00669A20 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00669A20

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

0_2_00631338

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_0063C260
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00E2C260
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_0076C260
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_00E1C260
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	13_2_00FDC260

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00E32C10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_00772C10

Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Window / User API: threadDelayed 641			Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Window / User API: threadDelayed 1230			Jump to behavior

Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 6572	Thread sleep time: -37774s >= -30000s	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988	Thread sleep count: 641 > 30	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988	Thread sleep time: -641000s >= -30000s	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988	Thread sleep time: -1230000s >= -30000s	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428	Thread sleep count: 308 > 30	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428	Thread sleep time: -15400000s >= -30000s	Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 4580	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 4580	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Last function: Thread delayed
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Last function: Thread delayed
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Last function: Thread delayed
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Last function: Thread delayed
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	Code function: 0_2_00655250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00655250
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	Code function: 2_2_00E45250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00E45250
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Code function: 3_2_00785250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00785250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 4_2_00E35250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00E35250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	Code function: 13_2_00FF5250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00FF5250

Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: akk3nwj1mabelfu4.exe, 00000002.00000002.1375176820.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, nlsxqvtcr.exe, 00000003.00000002.2155185204.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, nlsxqvtcr.exe, 0000000C.00000002.2589600492.0000000001487000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13055
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-12994
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13081
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13390
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13019
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13416
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13004
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13072
Source: C:\Users\user\Desktop\7sAylAXBOb.exe	API call chain: ExitProcess graph end node	graph_0-13339
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12052
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12071
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-11169
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-11990
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12017
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12753
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12690
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12790
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	API call chain: ExitProcess graph end node	graph_2-12090
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe	API call chain: ExitProcess graph end node

Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

0_2_00631338

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00667D20 GetProcessHeap,RtlFreeHeap,

0_2_00667D20

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_006407D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006407D0

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_00667635 GetSystemTime,GetTickCount,

0_2_00667635

Source: C:\Users\user\Desktop\7sAylAXBOb.exe

Code function: 0_2_006582D0 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

0_2_006582D0

Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
7sAylAXBOb.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
7sAylAXBOb.exe	100%	Avira	TR/Nivdort.Gen2
7sAylAXBOb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	100%	Avira	TR/Nivdort.Gen2
C:\zqzhokrkxswikv\nlsxqvtcr.exe	100%	Avira	TR/Nivdort.Gen2
C:\zqzhokrkxswikv\gyyuuofs.exe	100%	Avira	TR/Nivdort.Gen2
C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	100%	Joe Sandbox ML
C:\zqzhokrkxswikv\nlsxqvtcr.exe	100%	Joe Sandbox ML
C:\zqzhokrkxswikv\gyyuuofs.exe	100%	Joe Sandbox ML
C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe	87%	ReversingLabs	Win32.Spyware.Nivdort
C:\zqzhokrkxswikv\gyyuuofs.exe	87%	ReversingLabs	Win32.Spyware.Nivdort
C:\zqzhokrkxswikv\nlsxqvtcr.exe	87%	ReversingLabs	Win32.Spyware.Nivdort

Source	Detection	Scanner	Label	Link
http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
thoughprobable.net	3.94.10.34	true	true	unknown
suddencomplete.net	15.197.192.55	true	false	unknown
englishproud.net	44.221.84.105	true	true	unknown
hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	52.86.6.113	true	false	unknown
figurewithout.net	34.246.200.160	true	true	unknown
childrenbicycle.net	217.70.152.246	true	false	unknown
familykitchen.net	3.64.163.50	true	false	unknown
hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	34.205.242.146	true	false	unknown
familybridge.net	77.247.183.155	true	true	unknown
becausewagon.net	15.197.192.55	true	false	unknown
picturecomplete.net	unknown	unknown	true	unknown
becausekitchen.net	unknown	unknown	true	unknown
expectwagon.net	unknown	unknown	true	unknown
cigarettewelcome.net	unknown	unknown	true	unknown
englishwhose.net	unknown	unknown	true	unknown
rightkitchen.net	unknown	unknown	true	unknown
eitherexcept.net	unknown	unknown	true	unknown
machineenough.net	unknown	unknown	true	unknown
becausenature.net	unknown	unknown	true	unknown
foreignwithout.net	unknown	unknown	true	unknown
whetherwithout.net	unknown	unknown	true	unknown
rightwithout.net	unknown	unknown	true	unknown
suddenproud.net	unknown	unknown	true	unknown
cigarettewhose.net	unknown	unknown	true	unknown
familywhose.net	unknown	unknown	true	unknown
childrenprobable.net	unknown	unknown	true	unknown
eitherwhose.net	unknown	unknown	true	unknown
cigaretteproud.net	unknown	unknown	true	unknown
englisharound.net	unknown	unknown	true	unknown
childrenwelcome.net	unknown	unknown	true	unknown
englishwelcome.net	unknown	unknown	true	unknown
suddenenough.net	unknown	unknown	true	unknown
figureproud.net	unknown	unknown	true	unknown
foreignnature.net	unknown	unknown	true	unknown
whetherprobable.net	unknown	unknown	true	unknown
becausewelcome.net	unknown	unknown	true	unknown
thoughwelcome.net	unknown	unknown	true	unknown
becausewithout.net	unknown	unknown	true	unknown
eitheraround.net	unknown	unknown	true	unknown
personenough.net	unknown	unknown	true	unknown
becausegovern.net	unknown	unknown	true	unknown
childrenexcept.net	unknown	unknown	true	unknown
rightcomplete.net	unknown	unknown	true	unknown
foreigngovern.net	unknown	unknown	true	unknown
englishexcept.net	unknown	unknown	true	unknown
whethernature.net	unknown	unknown	true	unknown
foreignproud.net	unknown	unknown	true	unknown
personwithout.net	unknown	unknown	true	unknown
suddenwithout.net	unknown	unknown	true	unknown
thoughcomplete.net	unknown	unknown	true	unknown
becauseprobable.net	unknown	unknown	true	unknown
eitherbridge.net	unknown	unknown	true	unknown
personneedle.net	unknown	unknown	true	unknown
rightprobable.net	unknown	unknown	true	unknown
childrenkitchen.net	unknown	unknown	true	unknown
whetherproud.net	unknown	unknown	true	unknown
picturewithout.net	unknown	unknown	true	unknown
suddennature.net	unknown	unknown	true	unknown
personproud.net	unknown	unknown	true	unknown
familyproud.net	unknown	unknown	true	unknown
childrenproud.net	unknown	unknown	true	unknown
pictureproud.net	unknown	unknown	true	unknown
becausearound.net	unknown	unknown	true	unknown
eitherwagon.net	unknown	unknown	true	unknown
picturearound.net	unknown	unknown	true	unknown
familycomplete.net	unknown	unknown	true	unknown
cigaretteprobable.net	unknown	unknown	true	unknown
machineneedle.net	unknown	unknown	true	unknown
englishbridge.net	unknown	unknown	true	unknown
eithercomplete.net	unknown	unknown	true	unknown
thoughwagon.net	unknown	unknown	true	unknown
becauseproud.net	unknown	unknown	true	unknown
picturekitchen.net	unknown	unknown	true	unknown
familywelcome.net	unknown	unknown	true	unknown
foreigncomplete.net	unknown	unknown	true	unknown
familybicycle.net	unknown	unknown	true	unknown
englishprobable.net	unknown	unknown	true	unknown
expectneedle.net	unknown	unknown	true	unknown
machinewagon.net	unknown	unknown	true	unknown
personcomplete.net	unknown	unknown	true	unknown
machinecomplete.net	unknown	unknown	true	unknown
expectcomplete.net	unknown	unknown	true	unknown
whetheraround.net	unknown	unknown	true	unknown
foreignneedle.net	unknown	unknown	true	unknown
figureprobable.net	unknown	unknown	true	unknown
whetherwelcome.net	unknown	unknown	true	unknown
machinewelcome.net	unknown	unknown	true	unknown
rightproud.net	unknown	unknown	true	unknown
expectenough.net	unknown	unknown	true	unknown
englishkitchen.net	unknown	unknown	true	unknown
expectprobable.net	unknown	unknown	true	unknown
expectproud.net	unknown	unknown	true	unknown
persongovern.net	unknown	unknown	true	unknown
childrenbridge.net	unknown	unknown	true	unknown
figurekitchen.net	unknown	unknown	true	unknown
picturewelcome.net	unknown	unknown	true	unknown
suddengovern.net	unknown	unknown	true	unknown
familyaround.net	unknown	unknown	true	unknown
expectnature.net	unknown	unknown	true	unknown
machinewithout.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsI	nlsxqvtcr.exe, 0000000C.00000002.2589785877.00000000020DD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.86.6.113	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
34.205.242.146	hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
3.94.10.34	thoughprobable.net	United States	14618	AMAZON-AESUS	true
77.247.183.155	familybridge.net	Netherlands	43350	NFORCENL	true
34.246.200.160	figurewithout.net	United States	16509	AMAZON-02US	true
44.221.84.105	englishproud.net	United States	14618	AMAZON-AESUS	true
217.70.152.246	childrenbicycle.net	Italy	34081	SERVER24-ASINCUBATECGmbH-SrlIT	false
15.197.192.55	suddencomplete.net	United States	7430	TANDEMUS	false
3.64.163.50	familykitchen.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467010
Start date and time:	2024-07-03 16:24:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7sAylAXBOb.exe renamed because original name is a hash value
Original Sample Name:	c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@13/5@202/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 7sAylAXBOb.exe

Simulations

Behavior and APIs

Time	Type	Description
10:25:38	API Interceptor	1848x Sleep call for process: gyyuuofs.exe modified
10:26:25	API Interceptor	365x Sleep call for process: nlsxqvtcr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.86.6.113	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	www.cn-brand.com/ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L
	PxYYzLeAPi.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	cotheme.com/wp-login.php
	B843BuO7i3.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	oldrochester.com/administrator/index.php
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	vanhellemond.com/admin
	INQUIRY_ORDER_FOR_QOUTATION.exe	Get hash	malicious	FormBook	Browse	www.nilwin.com/w14m/?8p-=RgLdab5XhCCB3jqn7Vi2pEN/W7gOS3jB38n2DLHJPRnoewz6mrTwgyYesLGMKl7gVg4w&Vp=HDKPXvqxKjZ4yj8p
	U8WCyVn8Mu.exe	Get hash	malicious	FormBook	Browse	www.pwpholdings.com/ro12/?9rNdFv=uAil5XdE1e6zA0aLCXQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/JS7rQnY8pJO546fRA==&xD=Ft5PKLC0brN4jHfp
	33040117281.exe	Get hash	malicious	CryptoWall	Browse	glamkey.com/errors/default/css/ap2.php?s=q7rg3eznvthp91
	Purchase order 88120-2023.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.flooringadvantage.com/en31/?4hTP3fG8=KUcC8fkldMT44CO7aVlxeHdIUYxETjS68jWSDAW8ZCT5/BvtgWeipdfa94FJxnSvzH9n&5jLT=2d6pK
	awu6e4e6x7.exe	Get hash	malicious	Unknown	Browse	mountainpower.net/index.php
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.pdqhomes.com/
34.205.242.146	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	englishbridge.net/index.php
	SecuriteInfo.com.Trojan.PackedNET.2627.30890.6585.exe	Get hash	malicious	FormBook	Browse	www.101surgery.com/jk56/?mzud=Hr1xmGD2HjuGCRr4leCYNs0OI7GAffCSLdcBJnJfDDHxahHk1fuC166fJfDLPGeB2s6+Q58bFA==&2dnDM=TR-H0P
	xqz8sQ4mZB.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	keywordranker.com/wp-login.php
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	ranproperty.com/admin
	G7DyaA9iz9.exe	Get hash	malicious	Pushdo	Browse	www.petsfan.com/
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.factrip.com/k13s/?TX=gdiXBZ9XElo0j&NtBd-4=uWrYNxRDxMcfpVUorn5LhOfzlN5kxGxMD93g+bJ9QWy8y87MZqRDKiiGMbTWXlwWiJNY
	OfficeNote.dmg	Get hash	malicious	XLoader	Browse	www.furnishyourhomes.com/09rb/?aL=uJwha8dp_vPTk&8zA8U=9FThH+IwbOwunVlG0mYF7A2xAZ8GMKvvOhPX3O2yxT45oxmu8kJxSYcJ1jFQ61pIwnc=
	2Lv4zBMFDA.exe	Get hash	malicious	FormBook	Browse	www.folkos.com/ge83/?1bPD=bVl2jvzz8J1xO6mKTJFjyPKLabYPyAVtigUnhgE3Q5Ye0looMuZ0YKzzGRmszDZDu/dh&RnKp_D=WFNX4xohKxZHw
	SOA.exe	Get hash	malicious	FormBook	Browse	www.lyrianhealth.com/s28y/?4hrd2=JFagtE1CaP/2XlGz023i77dYT6/g7XrE2ni8tDC2aTiR1Zb+K8+RxQ4+DffVf2PqSHxV&J0D=q6AdK4g
	u9WdcXODtt.exe	Get hash	malicious	FormBook	Browse	www.flsolarpower.com/b04s/?a0=ATP4XjX&DvFXXJvH=X3wvmzFxuFPmlogSGyLw+BDjOV4td6t+Fy5YqdhJniqHUn1TIXrxpvBdjvnD/n/GrBbK

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
suddencomplete.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	15.197.192.55
suddencomplete.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	15.197.192.55
englishproud.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
englishproud.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
thoughprobable.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.94.10.34
thoughprobable.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.94.10.34
figurewithout.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	34.246.200.160
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	34.246.200.160
	Jla3M8Fe16.exe	Get hash	malicious	Unknown	Browse	34.246.200.160
familykitchen.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
familykitchen.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
childrenbicycle.net	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	217.70.152.246
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	217.70.152.246
	ILTgEaPqmE.exe	Get hash	malicious	Unknown	Browse	217.70.152.246
	Jla3M8Fe16.exe	Get hash	malicious	Unknown	Browse	217.70.152.246
hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	52.86.6.113
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	3.94.41.167
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	52.86.6.113
	file.exe	Get hash	malicious	SystemBC	Browse	52.86.6.113
	file.exe	Get hash	malicious	CMSBrute	Browse	52.86.6.113
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	3.94.41.167
	uTorrent.exe	Get hash	malicious	Unknown	Browse	52.86.6.113
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	3.94.41.167
	ACTCsxhga8.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	3.94.41.167
	qrtzqUHSqT.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	52.86.6.113
hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	54.161.222.85
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	34.205.242.146
	t5SYVk0Tkt.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	54.161.222.85
	TL6bE5Uq4y.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	54.161.222.85
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	34.205.242.146
	td2RgV6HyP.exe	Get hash	malicious	SystemBC	Browse	34.205.242.146
	file.exe	Get hash	malicious	SystemBC	Browse	34.205.242.146
	file.exe	Get hash	malicious	CMSBrute	Browse	54.161.222.85
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	54.161.222.85
	KY9D34Qh8d.exe	Get hash	malicious	Unknown	Browse	34.205.242.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	52.204.220.16
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	3.5.29.31
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	3.81.197.107
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29t	Get hash	malicious	HTMLPhisher	Browse	3.227.135.8
	https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqg	Get hash	malicious	HTMLPhisher	Browse	44.197.227.46
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	52.23.111.175
	Invoice - 21153253589581947197326090404964329500290845699807 - Toyotaconnected.pdf	Get hash	malicious	Unknown	Browse	52.6.155.20
	https://developers.foxit.com/	Get hash	malicious	Unknown	Browse	3.220.153.227
AMAZON-AESUS	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	52.204.220.16
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	3.5.29.31
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	3.81.197.107
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29t	Get hash	malicious	HTMLPhisher	Browse	3.227.135.8
	https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqg	Get hash	malicious	HTMLPhisher	Browse	44.197.227.46
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	52.23.111.175
	Invoice - 21153253589581947197326090404964329500290845699807 - Toyotaconnected.pdf	Get hash	malicious	Unknown	Browse	52.6.155.20
	https://developers.foxit.com/	Get hash	malicious	Unknown	Browse	3.220.153.227
AMAZON-02US	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	18.239.69.107
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.140.13.188
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	104.192.141.1
	7RsDGpyOQk.exe	Get hash	malicious	FormBook	Browse	76.223.105.230
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	13.227.219.106
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29t	Get hash	malicious	HTMLPhisher	Browse	18.245.31.89
	https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5s	Get hash	malicious	HTMLPhisher	Browse	108.156.39.24
	RR1h1iO6W2.exe	Get hash	malicious	FormBook	Browse	18.138.110.70
	https://lnkd.in/exwPeXjc	Get hash	malicious	HTMLPhisher	Browse	13.32.99.33
AMAZON-AESUS	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	52.204.220.16
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	44.221.84.105
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	3.5.29.31
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	3.81.197.107
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29t	Get hash	malicious	HTMLPhisher	Browse	3.227.135.8
	https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqg	Get hash	malicious	HTMLPhisher	Browse	44.197.227.46
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	52.23.111.175
	Invoice - 21153253589581947197326090404964329500290845699807 - Toyotaconnected.pdf	Get hash	malicious	Unknown	Browse	52.6.155.20
	https://developers.foxit.com/	Get hash	malicious	Unknown	Browse	3.220.153.227
NFORCENL	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	77.247.183.154
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	77.247.183.148
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse	185.107.56.202
	ILTgEaPqmE.exe	Get hash	malicious	Unknown	Browse	77.247.183.148
	Jla3M8Fe16.exe	Get hash	malicious	Unknown	Browse	77.247.183.151
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	http://www.bykiston.fi	Get hash	malicious	Unknown	Browse	179.60.150.123
	https://bitbucket.oreaillyauto.com/	Get hash	malicious	Unknown	Browse	77.247.183.151
	REQUEST SCHL-30112023-M1 Quotation_1033855).pdf	Get hash	malicious	Unknown	Browse	192.121.17.232

Process:	C:\Users\user\Desktop\7sAylAXBOb.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	3.584962500721156
Encrypted:	false
SSDEEP:	3:t0san:Tan
MD5:	FCE0792EAE5493BDFEDF595683809BD3
SHA1:	D1598DAD5C24BBF13979E55479DE0518EEC8F34E
SHA-256:	BEA41B7DD886CE210C67692BDD48A4111733BFF90823914534E99E2180235951
SHA-512:	FCD09FFC6B7AF14E3F996C741325AAAC6BF40BAAA719D604D7952B0F07FED7F9FA619E0AE567434C57C3C96568F77C9FC7F1AD2644F6BFCDEF14C42E930C0B11
Malicious:	false
Reputation:	low
Preview:	..tw.1d. .a

C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe

Download File

Process:	C:\Users\user\Desktop\7sAylAXBOb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	359424
Entropy (8bit):	6.767324484908409
Encrypted:	false
SSDEEP:	6144:m2dGPhmZjeu5aWA5l+xullevSa/iS5LNGaMGuTEIZzdK2dxP4QoO0kTajqO/jOiL:mxPg32l+s/fa/HLGaMGuhdxAjOeqbiJN
MD5:	85179AC6AEC3B32A40B06F35CFC6594B
SHA1:	6700B84FA70C4B5CCAB8688DB32AC71A2AAFEEB6
SHA-256:	C634F44560FE43DEF439CBF47BA668DFEE9905D2E5CAE1BAC2789E59F82E8526
SHA-512:	589B192DBC3E541A440CE52439ACF746091556CA73418D3E4FE0D15003D27BB0E42AFE3365A6D3F86445B509A2968D59D38A07D24B7C7AD5B28222DCB74ADDAF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....&zV.....................z............... ....@.......................................@....................................P...............................X.................................................... ...............................text...j........................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\zqzhokrkxswikv\gyyuuofs.exe

Download File

Process:	C:\zqzhokrkxswikv\nlsxqvtcr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	359424
Entropy (8bit):	6.767324484908409
Encrypted:	false
SSDEEP:	6144:m2dGPhmZjeu5aWA5l+xullevSa/iS5LNGaMGuTEIZzdK2dxP4QoO0kTajqO/jOiL:mxPg32l+s/fa/HLGaMGuhdxAjOeqbiJN
MD5:	85179AC6AEC3B32A40B06F35CFC6594B
SHA1:	6700B84FA70C4B5CCAB8688DB32AC71A2AAFEEB6
SHA-256:	C634F44560FE43DEF439CBF47BA668DFEE9905D2E5CAE1BAC2789E59F82E8526
SHA-512:	589B192DBC3E541A440CE52439ACF746091556CA73418D3E4FE0D15003D27BB0E42AFE3365A6D3F86445B509A2968D59D38A07D24B7C7AD5B28222DCB74ADDAF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....&zV.....................z............... ....@.......................................@....................................P...............................X.................................................... ...............................text...j........................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\zqzhokrkxswikv\nlsxqvtcr.exe

Download File

Process:	C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	359424
Entropy (8bit):	6.767324484908409
Encrypted:	false
SSDEEP:	6144:m2dGPhmZjeu5aWA5l+xullevSa/iS5LNGaMGuTEIZzdK2dxP4QoO0kTajqO/jOiL:mxPg32l+s/fa/HLGaMGuhdxAjOeqbiJN
MD5:	85179AC6AEC3B32A40B06F35CFC6594B
SHA1:	6700B84FA70C4B5CCAB8688DB32AC71A2AAFEEB6
SHA-256:	C634F44560FE43DEF439CBF47BA668DFEE9905D2E5CAE1BAC2789E59F82E8526
SHA-512:	589B192DBC3E541A440CE52439ACF746091556CA73418D3E4FE0D15003D27BB0E42AFE3365A6D3F86445B509A2968D59D38A07D24B7C7AD5B28222DCB74ADDAF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....&zV.....................z............... ....@.......................................@....................................P...............................X.................................................... ...............................text...j........................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\zqzhokrkxswikv\tpcbuesrb

Download File

Process:	C:\Users\user\Desktop\7sAylAXBOb.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	3.584962500721156
Encrypted:	false
SSDEEP:	3:t0san:Tan
MD5:	FCE0792EAE5493BDFEDF595683809BD3
SHA1:	D1598DAD5C24BBF13979E55479DE0518EEC8F34E
SHA-256:	BEA41B7DD886CE210C67692BDD48A4111733BFF90823914534E99E2180235951
SHA-512:	FCD09FFC6B7AF14E3F996C741325AAAC6BF40BAAA719D604D7952B0F07FED7F9FA619E0AE567434C57C3C96568F77C9FC7F1AD2644F6BFCDEF14C42E930C0B11
Malicious:	false
Reputation:	low
Preview:	..tw.1d. .a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767324484908409
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7sAylAXBOb.exe
File size:	359'424 bytes
MD5:	85179ac6aec3b32a40b06f35cfc6594b
SHA1:	6700b84fa70c4b5ccab8688db32ac71a2aafeeb6
SHA256:	c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526
SHA512:	589b192dbc3e541a440ce52439acf746091556ca73418d3e4fe0d15003d27bb0e42afe3365a6d3f86445b509a2968d59d38a07d24b7c7ad5b28222dcb74addaf
SSDEEP:	6144:m2dGPhmZjeu5aWA5l+xullevSa/iS5LNGaMGuTEIZzdK2dxP4QoO0kTajqO/jOiL:mxPg32l+s/fa/HLGaMGuhdxAjOeqbiJN
TLSH:	9974E7FEED8280DEDC42A4BC85B56373E3AD50547AA861CF5680378425B96F4E93730B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O...O...O...4...O...N...O..B....O...@...O..B....O.Rich..O.........................PE..L....&zV.....................z.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42ffe0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x567A26C6 [Wed Dec 23 04:44:54 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	62aa572a88e25f17d15d26d7ecb13b7d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 08h
fld dword ptr [0044D308h]
push esi
fsub qword ptr [0044BAE8h]
fistp qword ptr [ebp-08h]
movzx eax, word ptr [ebp-08h]
mov word ptr [0044D360h], ax
fld dword ptr [0044D308h]
fadd qword ptr [00445D50h]
fstp dword ptr [0044D308h]
call 00007F2E55055C6Eh
mov cx, word ptr [0044D464h]
movsx edx, cx
mov eax, A9275A0Dh
sub eax, edx
add dword ptr [0044D41Ch], eax
call 00007F2E55053EB2h
movzx eax, word ptr [0044D148h]
movsx ecx, ax
mov dword ptr [ebp-04h], ecx
push 00442124h
push 0044211Ch
fild dword ptr [ebp-04h]
fmul qword ptr [0044D468h]
fistp qword ptr [ebp-08h]
movzx edx, word ptr [ebp-08h]
mov word ptr [0044D148h], dx
fld qword ptr [0044D468h]
fsub qword ptr [00445D50h]
fstp qword ptr [0044D468h]
call 00007F2E5505401Dh
fld dword ptr [0044D000h]
movzx eax, word ptr [0044D144h]
movsx ecx, ax
sub ecx, 5E59A4D6h
mov dword ptr [ebp-04h], ecx
add esp, 08h
fild dword ptr [ebp-04h]
fsub qword ptr [0044D258h]
fsubp st(1), st(0)
fstp dword ptr [0044D000h]
fld qword ptr [00000058h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2003 (.NET) build 3077
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4baf0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc658	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4076a	0x40800	757686ffd2b3473a13f7214868c87335	False	0.5194290515988372	data	6.282613198302832	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0xa11e	0xa200	00f389e651b558d4ce56c2c12532ab4b	False	0.7437307098765432	data	6.501542072030581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0xf7c	0x600	022900d7974dbe9018ff64c0db27de13	False	0.716796875	data	5.406411759796486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4e000	0xc6fc	0xc800	eb48425af4fe6450f92c4d0c5736331c	False	0.66421875	data	6.837099023255398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetMapMode, GetFontLanguageInfo, SetTextAlign, GetSystemPaletteUse, GetFontUnicodeRanges, GetNearestPaletteIndex, GetDCBrushColor, GetClipRgn, GetStretchBltMode, SetSystemPaletteUse, GetTextAlign, GetTextCharsetInfo, SetTextColor, GetTextCharset, GetBkColor, GetPolyFillMode, GetDeviceCaps, SetTextCharacterExtra
USER32.dll	CharLowerBuffA, WindowFromDC, GetMenuItemCount, EndPaint, SetFocus, SetWindowTextA, GetCursor, GetDlgItemInt, PostMessageA, GetKeyboardType, CallWindowProcA, GetQueueStatus, CheckDlgButton, DrawTextA, GetMenuState, GetMenuCheckMarkDimensions, wvsprintfA, GetDialogBaseUnits
KERNEL32.dll	GetProcAddress, CreateFileA, lstrlenA, HeapReAlloc, WriteFile, GetFileSize, CloseHandle, GlobalSize, GetCurrentThreadId, GetVersion, GetCurrentProcess, SizeofResource, GetModuleHandleA, IsProcessorFeaturePresent, DeleteFileA, SetFilePointer, GetStdHandle, QueryPerformanceCounter, HeapFree, GetProcessHeap, HeapAlloc, ExitProcess, SystemTimeToFileTime, GetSystemTime, IsDebuggerPresent, GetLastError, GetFileTime, GetCurrentProcessId, GetTickCount, GlobalFlags, MoveFileA, LockResource

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/03/24-16:25:11.482211	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49710	34.246.200.160	192.168.2.9
07/03/24-16:25:12.587584	UDP	2811542	ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)	53	58330	1.1.1.1	192.168.2.9
07/03/24-16:25:12.567884	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49711	3.94.10.34	192.168.2.9
07/03/24-16:25:06.455531	TCP	2815568	ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort	49706	80	192.168.2.9	77.247.183.155
07/03/24-16:26:32.618956	TCP	2815568	ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort	53879	80	192.168.2.9	77.247.183.155
07/03/24-16:25:09.738416	UDP	2018316	ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	50077	1.1.1.1	192.168.2.9
07/03/24-16:25:17.978035	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	53875	44.221.84.105	192.168.2.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:25:06.448519945 CEST	49706	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:25:06.454471111 CEST	80	49706	77.247.183.155	192.168.2.9
Jul 3, 2024 16:25:06.454610109 CEST	49706	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:25:06.455530882 CEST	49706	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:25:06.460355997 CEST	80	49706	77.247.183.155	192.168.2.9
Jul 3, 2024 16:25:07.076055050 CEST	80	49706	77.247.183.155	192.168.2.9
Jul 3, 2024 16:25:07.076581001 CEST	80	49706	77.247.183.155	192.168.2.9
Jul 3, 2024 16:25:07.076644897 CEST	49706	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:25:07.076698065 CEST	49706	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:25:07.081866980 CEST	80	49706	77.247.183.155	192.168.2.9
Jul 3, 2024 16:25:07.112008095 CEST	49707	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:25:07.118264914 CEST	80	49707	217.70.152.246	192.168.2.9
Jul 3, 2024 16:25:07.118385077 CEST	49707	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:25:07.118458986 CEST	49707	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:25:07.123656034 CEST	80	49707	217.70.152.246	192.168.2.9
Jul 3, 2024 16:25:07.779202938 CEST	80	49707	217.70.152.246	192.168.2.9
Jul 3, 2024 16:25:07.780029058 CEST	80	49707	217.70.152.246	192.168.2.9
Jul 3, 2024 16:25:07.780111074 CEST	49707	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:25:07.780162096 CEST	49707	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:25:07.787055969 CEST	80	49707	217.70.152.246	192.168.2.9
Jul 3, 2024 16:25:08.273180962 CEST	49708	80	192.168.2.9	34.205.242.146
Jul 3, 2024 16:25:08.278769970 CEST	80	49708	34.205.242.146	192.168.2.9
Jul 3, 2024 16:25:08.278851986 CEST	49708	80	192.168.2.9	34.205.242.146
Jul 3, 2024 16:25:08.285001040 CEST	49708	80	192.168.2.9	34.205.242.146
Jul 3, 2024 16:25:08.291894913 CEST	80	49708	34.205.242.146	192.168.2.9
Jul 3, 2024 16:25:08.759010077 CEST	80	49708	34.205.242.146	192.168.2.9
Jul 3, 2024 16:25:08.759201050 CEST	80	49708	34.205.242.146	192.168.2.9
Jul 3, 2024 16:25:08.759260893 CEST	49708	80	192.168.2.9	34.205.242.146
Jul 3, 2024 16:25:08.773181915 CEST	49708	80	192.168.2.9	34.205.242.146
Jul 3, 2024 16:25:08.777991056 CEST	80	49708	34.205.242.146	192.168.2.9
Jul 3, 2024 16:25:09.149214983 CEST	49709	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:09.157557011 CEST	80	49709	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:09.157660961 CEST	49709	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:09.157824039 CEST	49709	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:09.167223930 CEST	80	49709	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:09.642329931 CEST	80	49709	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:09.642452955 CEST	80	49709	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:09.642518997 CEST	49709	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:09.642769098 CEST	49709	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:09.651038885 CEST	80	49709	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:10.731021881 CEST	49710	80	192.168.2.9	34.246.200.160
Jul 3, 2024 16:25:10.736130953 CEST	80	49710	34.246.200.160	192.168.2.9
Jul 3, 2024 16:25:10.736227989 CEST	49710	80	192.168.2.9	34.246.200.160
Jul 3, 2024 16:25:10.736298084 CEST	49710	80	192.168.2.9	34.246.200.160
Jul 3, 2024 16:25:10.741219044 CEST	80	49710	34.246.200.160	192.168.2.9
Jul 3, 2024 16:25:11.482211113 CEST	80	49710	34.246.200.160	192.168.2.9
Jul 3, 2024 16:25:11.482484102 CEST	80	49710	34.246.200.160	192.168.2.9
Jul 3, 2024 16:25:11.482552052 CEST	49710	80	192.168.2.9	34.246.200.160
Jul 3, 2024 16:25:11.492538929 CEST	49710	80	192.168.2.9	34.246.200.160
Jul 3, 2024 16:25:11.497411966 CEST	80	49710	34.246.200.160	192.168.2.9
Jul 3, 2024 16:25:12.054594040 CEST	49711	80	192.168.2.9	3.94.10.34
Jul 3, 2024 16:25:12.059564114 CEST	80	49711	3.94.10.34	192.168.2.9
Jul 3, 2024 16:25:12.059649944 CEST	49711	80	192.168.2.9	3.94.10.34
Jul 3, 2024 16:25:12.059690952 CEST	49711	80	192.168.2.9	3.94.10.34
Jul 3, 2024 16:25:12.064696074 CEST	80	49711	3.94.10.34	192.168.2.9
Jul 3, 2024 16:25:12.567883968 CEST	80	49711	3.94.10.34	192.168.2.9
Jul 3, 2024 16:25:12.567941904 CEST	80	49711	3.94.10.34	192.168.2.9
Jul 3, 2024 16:25:12.568008900 CEST	49711	80	192.168.2.9	3.94.10.34
Jul 3, 2024 16:25:12.573725939 CEST	49711	80	192.168.2.9	3.94.10.34
Jul 3, 2024 16:25:12.578583956 CEST	80	49711	3.94.10.34	192.168.2.9
Jul 3, 2024 16:25:12.822922945 CEST	49712	80	192.168.2.9	3.64.163.50
Jul 3, 2024 16:25:12.827994108 CEST	80	49712	3.64.163.50	192.168.2.9
Jul 3, 2024 16:25:12.828074932 CEST	49712	80	192.168.2.9	3.64.163.50
Jul 3, 2024 16:25:12.828120947 CEST	49712	80	192.168.2.9	3.64.163.50
Jul 3, 2024 16:25:12.834439993 CEST	80	49712	3.64.163.50	192.168.2.9
Jul 3, 2024 16:25:13.460616112 CEST	80	49712	3.64.163.50	192.168.2.9
Jul 3, 2024 16:25:13.460642099 CEST	80	49712	3.64.163.50	192.168.2.9
Jul 3, 2024 16:25:13.460707903 CEST	49712	80	192.168.2.9	3.64.163.50
Jul 3, 2024 16:25:13.460896015 CEST	49712	80	192.168.2.9	3.64.163.50
Jul 3, 2024 16:25:13.466336966 CEST	80	49712	3.64.163.50	192.168.2.9
Jul 3, 2024 16:25:15.325100899 CEST	53874	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:15.330269098 CEST	80	53874	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:15.330365896 CEST	53874	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:15.330446959 CEST	53874	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:15.335525990 CEST	80	53874	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:15.786873102 CEST	80	53874	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:15.787005901 CEST	80	53874	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:15.787105083 CEST	53874	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:15.794095039 CEST	53874	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:25:15.799071074 CEST	80	53874	15.197.192.55	192.168.2.9
Jul 3, 2024 16:25:17.499336958 CEST	53875	80	192.168.2.9	44.221.84.105
Jul 3, 2024 16:25:17.504645109 CEST	80	53875	44.221.84.105	192.168.2.9
Jul 3, 2024 16:25:17.504735947 CEST	53875	80	192.168.2.9	44.221.84.105
Jul 3, 2024 16:25:17.504784107 CEST	53875	80	192.168.2.9	44.221.84.105
Jul 3, 2024 16:25:17.511344910 CEST	80	53875	44.221.84.105	192.168.2.9
Jul 3, 2024 16:25:17.978034973 CEST	80	53875	44.221.84.105	192.168.2.9
Jul 3, 2024 16:25:17.978072882 CEST	80	53875	44.221.84.105	192.168.2.9
Jul 3, 2024 16:25:17.978193998 CEST	53875	80	192.168.2.9	44.221.84.105
Jul 3, 2024 16:25:17.978629112 CEST	53875	80	192.168.2.9	44.221.84.105
Jul 3, 2024 16:25:17.983470917 CEST	80	53875	44.221.84.105	192.168.2.9
Jul 3, 2024 16:26:32.613837004 CEST	53879	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:26:32.618748903 CEST	80	53879	77.247.183.155	192.168.2.9
Jul 3, 2024 16:26:32.618855000 CEST	53879	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:26:32.618956089 CEST	53879	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:26:32.625533104 CEST	80	53879	77.247.183.155	192.168.2.9
Jul 3, 2024 16:26:33.227963924 CEST	80	53879	77.247.183.155	192.168.2.9
Jul 3, 2024 16:26:33.228174925 CEST	80	53879	77.247.183.155	192.168.2.9
Jul 3, 2024 16:26:33.228271961 CEST	53879	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:26:33.228591919 CEST	53879	80	192.168.2.9	77.247.183.155
Jul 3, 2024 16:26:33.233428001 CEST	80	53879	77.247.183.155	192.168.2.9
Jul 3, 2024 16:26:34.246718884 CEST	53880	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:26:34.255528927 CEST	80	53880	217.70.152.246	192.168.2.9
Jul 3, 2024 16:26:34.255649090 CEST	53880	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:26:34.255712986 CEST	53880	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:26:34.265037060 CEST	80	53880	217.70.152.246	192.168.2.9
Jul 3, 2024 16:26:34.914418936 CEST	80	53880	217.70.152.246	192.168.2.9
Jul 3, 2024 16:26:34.914598942 CEST	80	53880	217.70.152.246	192.168.2.9
Jul 3, 2024 16:26:34.914647102 CEST	53880	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:26:34.914859056 CEST	53880	80	192.168.2.9	217.70.152.246
Jul 3, 2024 16:26:34.919620991 CEST	80	53880	217.70.152.246	192.168.2.9
Jul 3, 2024 16:26:42.486819983 CEST	53881	80	192.168.2.9	52.86.6.113
Jul 3, 2024 16:26:42.491919041 CEST	80	53881	52.86.6.113	192.168.2.9
Jul 3, 2024 16:26:42.492013931 CEST	53881	80	192.168.2.9	52.86.6.113
Jul 3, 2024 16:26:42.496309996 CEST	53881	80	192.168.2.9	52.86.6.113
Jul 3, 2024 16:26:42.501102924 CEST	80	53881	52.86.6.113	192.168.2.9
Jul 3, 2024 16:26:42.972558022 CEST	80	53881	52.86.6.113	192.168.2.9
Jul 3, 2024 16:26:42.972701073 CEST	80	53881	52.86.6.113	192.168.2.9
Jul 3, 2024 16:26:42.972754955 CEST	53881	80	192.168.2.9	52.86.6.113
Jul 3, 2024 16:26:42.973334074 CEST	53881	80	192.168.2.9	52.86.6.113
Jul 3, 2024 16:26:42.978101015 CEST	80	53881	52.86.6.113	192.168.2.9
Jul 3, 2024 16:26:49.159224033 CEST	53882	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:26:49.164132118 CEST	80	53882	15.197.192.55	192.168.2.9
Jul 3, 2024 16:26:49.164222956 CEST	53882	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:26:49.164278030 CEST	53882	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:26:49.169249058 CEST	80	53882	15.197.192.55	192.168.2.9
Jul 3, 2024 16:26:49.620973110 CEST	80	53882	15.197.192.55	192.168.2.9
Jul 3, 2024 16:26:49.621031046 CEST	80	53882	15.197.192.55	192.168.2.9
Jul 3, 2024 16:26:49.621144056 CEST	53882	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:26:49.621931076 CEST	53882	80	192.168.2.9	15.197.192.55
Jul 3, 2024 16:26:49.626738071 CEST	80	53882	15.197.192.55	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:25:06.217000961 CEST	51193	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:06.253391027 CEST	53	51193	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:06.255976915 CEST	58917	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:06.285578966 CEST	53	58917	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:06.287954092 CEST	56733	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:06.305331945 CEST	53	56733	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:06.307213068 CEST	65288	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:06.319344044 CEST	53	65288	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:06.321113110 CEST	52448	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:06.445929050 CEST	53	52448	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.078269005 CEST	64687	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:07.111421108 CEST	53	64687	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.781563044 CEST	54488	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:07.792998075 CEST	53	54488	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.794714928 CEST	64405	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:07.806257010 CEST	53	64405	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.807764053 CEST	54308	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:07.842143059 CEST	53	54308	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.843740940 CEST	53776	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:07.857767105 CEST	53	53776	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:07.861346006 CEST	58093	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.049510956 CEST	53	58093	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.051444054 CEST	65035	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.062391043 CEST	53	65035	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.063879013 CEST	53514	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.258346081 CEST	53	53514	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.807595015 CEST	51464	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.844233036 CEST	53	51464	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.913894892 CEST	55637	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.925051928 CEST	53	55637	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.929974079 CEST	51299	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.947102070 CEST	53	51299	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.952191114 CEST	62383	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:08.984375000 CEST	53	62383	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:08.986469984 CEST	57142	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.020395994 CEST	53	57142	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.024749041 CEST	60461	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.148452044 CEST	53	60461	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.644687891 CEST	60417	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.665468931 CEST	53	60417	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.667761087 CEST	55691	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.679419994 CEST	53	55691	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.681488991 CEST	62942	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.697419882 CEST	53	62942	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.699515104 CEST	50077	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.738415956 CEST	53	50077	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.740232944 CEST	51750	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.757539034 CEST	53	51750	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.759135008 CEST	50118	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.780802965 CEST	53	50118	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.782394886 CEST	63445	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.799432993 CEST	53	63445	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.801340103 CEST	54934	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.813807964 CEST	53	54934	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.815536022 CEST	58278	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.830101013 CEST	53	58278	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.831847906 CEST	60685	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.846332073 CEST	53	60685	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.848022938 CEST	59056	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.862040997 CEST	53	59056	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.864439011 CEST	57678	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.876540899 CEST	53	57678	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.880649090 CEST	57561	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.918864965 CEST	53	57561	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.922848940 CEST	52689	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.964055061 CEST	53	52689	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.966681957 CEST	51758	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.980309963 CEST	53	51758	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.982611895 CEST	53870	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:09.993161917 CEST	53	53870	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:09.994848013 CEST	61242	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.027920961 CEST	53	61242	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.029675961 CEST	54789	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.040844917 CEST	53	54789	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.045243025 CEST	64225	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.077879906 CEST	53	64225	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.079641104 CEST	56476	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.243143082 CEST	53	56476	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.244896889 CEST	63756	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.256942034 CEST	53	63756	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.258711100 CEST	57269	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.269422054 CEST	53	57269	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.281012058 CEST	51143	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.291575909 CEST	53	51143	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.293252945 CEST	65189	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.311326981 CEST	53	65189	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.312783003 CEST	52724	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.324012041 CEST	53	52724	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.325551987 CEST	51339	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.358690977 CEST	53	51339	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.360167027 CEST	53070	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.393872976 CEST	53	53070	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.395510912 CEST	61046	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.405354023 CEST	53	61046	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.406749964 CEST	56648	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.438163042 CEST	53	56648	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.439693928 CEST	54636	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.453008890 CEST	53	54636	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.454468012 CEST	55600	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.465358973 CEST	53	55600	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.466686010 CEST	54004	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.501131058 CEST	53	54004	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:10.502859116 CEST	50823	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:10.730304956 CEST	53	50823	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:11.530448914 CEST	60919	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:11.540745974 CEST	53	60919	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:11.569191933 CEST	52749	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:11.579854012 CEST	53	52749	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:11.618916035 CEST	51527	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:11.636565924 CEST	53	51527	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:11.639703035 CEST	64255	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:11.650479078 CEST	53	64255	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:11.712887049 CEST	63192	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.053702116 CEST	53	63192	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.576009035 CEST	58330	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.587584019 CEST	53	58330	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.589158058 CEST	49937	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.600172043 CEST	53	49937	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.601869106 CEST	64186	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.637597084 CEST	53	64186	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.639400959 CEST	57024	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.652065039 CEST	53	57024	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.653964996 CEST	52482	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.667777061 CEST	53	52482	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.669609070 CEST	56721	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.702280045 CEST	53	56721	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.704051018 CEST	58364	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.716181993 CEST	53	58364	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.720786095 CEST	51892	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.734568119 CEST	53	51892	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.736274958 CEST	51189	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.750417948 CEST	53	51189	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.752372026 CEST	56481	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.765538931 CEST	53	56481	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.767224073 CEST	52058	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.780000925 CEST	53	52058	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.781418085 CEST	58875	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.793025017 CEST	53	58875	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.794683933 CEST	61760	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.806241035 CEST	53	61760	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:12.807657957 CEST	53197	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:12.822397947 CEST	53	53197	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.462414980 CEST	64344	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.473468065 CEST	53	64344	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.475157976 CEST	56269	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.488861084 CEST	53	56269	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.492074966 CEST	49734	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.502465963 CEST	53	49734	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.504336119 CEST	57202	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.517487049 CEST	53	57202	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.519438028 CEST	60669	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.530690908 CEST	53	60669	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.532404900 CEST	62029	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.544446945 CEST	53	62029	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.546211958 CEST	55223	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.557400942 CEST	53	55223	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.559139967 CEST	57162	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.800492048 CEST	53	57162	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.802373886 CEST	52037	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.813149929 CEST	53	52037	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.814699888 CEST	55444	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:13.987874031 CEST	53	55444	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:13.989948988 CEST	54139	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.001894951 CEST	53	54139	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.003647089 CEST	52163	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.039594889 CEST	53	52163	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.041743040 CEST	58773	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.055284977 CEST	53	58773	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.068718910 CEST	57987	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.080569983 CEST	53	57987	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.082515001 CEST	62699	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.093898058 CEST	53	62699	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.095719099 CEST	63759	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.107194901 CEST	53	63759	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.108876944 CEST	63484	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.122409105 CEST	53	63484	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.124260902 CEST	54122	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.138154984 CEST	53	54122	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.139921904 CEST	49843	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.151803970 CEST	53	49843	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.153696060 CEST	52303	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.186995983 CEST	53	52303	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.189006090 CEST	56527	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.350353956 CEST	53	56527	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.352312088 CEST	61241	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.363970995 CEST	53	61241	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.365633965 CEST	54151	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.374886990 CEST	53	54151	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.376816988 CEST	55951	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.410768986 CEST	53	55951	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.422595024 CEST	60689	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.454862118 CEST	53	60689	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.456782103 CEST	54079	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.488595009 CEST	53	54079	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.490642071 CEST	59879	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.501802921 CEST	53	59879	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.503514051 CEST	60622	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.535294056 CEST	53	60622	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.536942005 CEST	53843	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.548598051 CEST	53	53843	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:14.550395012 CEST	55643	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:14.559921026 CEST	53	55643	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.055119991 CEST	61993	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.093847036 CEST	53	61993	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.096117020 CEST	63780	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.130868912 CEST	53	63780	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.132668972 CEST	55373	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.324371099 CEST	53	55373	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.795618057 CEST	50775	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.829595089 CEST	53	50775	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.831445932 CEST	56190	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.846520901 CEST	53	56190	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.848093987 CEST	61615	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.863198996 CEST	53	61615	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.864875078 CEST	60176	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.875050068 CEST	53	60176	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.876702070 CEST	54697	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.890347004 CEST	53	54697	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.891978979 CEST	55856	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.903541088 CEST	53	55856	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.905280113 CEST	63591	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.941421032 CEST	53	63591	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.943315983 CEST	53828	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.956147909 CEST	53	53828	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.958231926 CEST	58444	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:15.988923073 CEST	53	58444	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:15.991522074 CEST	61778	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.002913952 CEST	53	61778	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.005408049 CEST	59747	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.026571989 CEST	53	59747	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.028386116 CEST	56463	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.068541050 CEST	53	56463	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.070343018 CEST	59907	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.081854105 CEST	53	59907	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.083476067 CEST	52868	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.119196892 CEST	53	52868	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.120918989 CEST	50677	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.130873919 CEST	53	50677	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.182214975 CEST	58703	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.219600916 CEST	53	58703	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.221627951 CEST	54582	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.240552902 CEST	53	54582	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.260178089 CEST	49694	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.300692081 CEST	53	49694	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.330029011 CEST	53324	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.342495918 CEST	53	53324	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.348500013 CEST	61950	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.387286901 CEST	53	61950	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.483491898 CEST	50628	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.644709110 CEST	53	50628	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.763927937 CEST	57983	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.776568890 CEST	53	57983	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.785393953 CEST	49527	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.802715063 CEST	53	49527	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.863065958 CEST	49790	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.876898050 CEST	53	49790	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.885308981 CEST	49875	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.897619963 CEST	53	49875	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.899547100 CEST	51343	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.962017059 CEST	53	51343	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.963870049 CEST	54244	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.976881027 CEST	53	54244	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.979355097 CEST	62035	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:16.994211912 CEST	53	62035	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:16.996009111 CEST	61790	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.031486988 CEST	53	61790	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.033920050 CEST	63668	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.045923948 CEST	53	63668	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.047750950 CEST	54485	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.080251932 CEST	53	54485	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.082130909 CEST	60667	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.115845919 CEST	53	60667	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.117583036 CEST	54421	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.158632994 CEST	53	54421	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.160420895 CEST	57888	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.175389051 CEST	53	57888	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.177962065 CEST	54759	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.194595098 CEST	53	54759	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.196516037 CEST	52672	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.215374947 CEST	53	52672	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.217164040 CEST	62682	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.257915020 CEST	53	62682	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.259691000 CEST	53823	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.297178984 CEST	53	53823	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.299428940 CEST	57618	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.492176056 CEST	53	57618	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.980318069 CEST	58336	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:17.992765903 CEST	53	58336	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:17.994839907 CEST	53577	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.031923056 CEST	53	53577	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.034437895 CEST	63885	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.044241905 CEST	53	63885	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.046109915 CEST	58170	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.057113886 CEST	53	58170	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.059003115 CEST	57244	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.070384026 CEST	53	57244	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.071858883 CEST	57774	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.082859993 CEST	53	57774	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.084405899 CEST	64703	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.096426964 CEST	53	64703	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.098229885 CEST	50782	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.109922886 CEST	53	50782	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.112164021 CEST	50801	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.123245001 CEST	53	50801	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.124867916 CEST	56093	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.167887926 CEST	53	56093	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.169692993 CEST	56411	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.211970091 CEST	53	56411	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.213799000 CEST	59145	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.224261045 CEST	53	59145	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.236237049 CEST	60738	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.246360064 CEST	53	60738	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.247910976 CEST	54553	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.258451939 CEST	53	54553	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.260085106 CEST	49749	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.271354914 CEST	53	49749	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.272860050 CEST	51027	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.283926964 CEST	53	51027	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.285468102 CEST	51278	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.296581984 CEST	53	51278	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.298077106 CEST	49587	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.329875946 CEST	53	49587	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.331574917 CEST	53691	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.368216038 CEST	53	53691	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.369960070 CEST	60386	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.382544994 CEST	53	60386	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.384216070 CEST	62270	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.417275906 CEST	53	62270	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.419152021 CEST	51032	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.429472923 CEST	53	51032	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.430969954 CEST	63804	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.441572905 CEST	53	63804	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.442953110 CEST	51890	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.475796938 CEST	53	51890	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.477493048 CEST	63025	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.510767937 CEST	53	63025	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.512526989 CEST	64134	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.523902893 CEST	53	64134	1.1.1.1	192.168.2.9
Jul 3, 2024 16:25:18.529915094 CEST	64124	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:25:18.564040899 CEST	53	64124	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:29.516648054 CEST	57428	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:29.530050993 CEST	53	57428	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:30.534249067 CEST	63371	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:30.569996119 CEST	53	63371	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:31.583745956 CEST	63089	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:31.594618082 CEST	53	63089	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:35.924891949 CEST	61139	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:35.940006018 CEST	53	61139	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:36.993959904 CEST	57922	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:37.033535957 CEST	53	57922	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:38.086585045 CEST	61765	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:38.099987030 CEST	53	61765	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:39.112385988 CEST	61642	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:39.125189066 CEST	53	61642	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:40.128107071 CEST	53462	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:40.138305902 CEST	53	53462	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:41.145780087 CEST	54884	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:41.158582926 CEST	53	54884	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:42.174659967 CEST	57132	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:42.421264887 CEST	53	57132	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:43.987900019 CEST	60279	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:44.020303965 CEST	53	60279	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:45.034394979 CEST	55475	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:45.067116976 CEST	53	55475	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:46.081134081 CEST	60595	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:46.113507032 CEST	53	60595	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:47.127976894 CEST	58726	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:47.138248920 CEST	53	58726	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:48.143599033 CEST	60239	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:48.154412985 CEST	53	60239	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:50.628057003 CEST	51795	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:50.639619112 CEST	53	51795	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:51.643558979 CEST	53647	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:51.682506084 CEST	53	53647	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:52.691670895 CEST	62992	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:52.708215952 CEST	53	62992	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:53.723493099 CEST	55938	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:53.734694004 CEST	53	55938	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:54.737531900 CEST	49245	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:54.771321058 CEST	53	49245	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:55.784651041 CEST	60835	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:55.797661066 CEST	53	60835	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:56.815742970 CEST	51604	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:56.829003096 CEST	53	51604	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:57.846931934 CEST	51585	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:57.858639002 CEST	53	51585	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:58.862442017 CEST	56359	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:58.895886898 CEST	53	56359	1.1.1.1	192.168.2.9
Jul 3, 2024 16:26:59.909460068 CEST	64396	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:26:59.922218084 CEST	53	64396	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:00.925097942 CEST	62540	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:00.936748028 CEST	53	62540	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:01.987734079 CEST	62067	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:02.000338078 CEST	53	62067	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:03.034455061 CEST	54120	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:03.046812057 CEST	53	54120	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:04.049820900 CEST	50812	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:04.060755014 CEST	53	50812	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:05.037502050 CEST	54576	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:05.272229910 CEST	53	54576	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:06.222018957 CEST	52504	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:06.464262962 CEST	53	52504	1.1.1.1	192.168.2.9
Jul 3, 2024 16:27:07.472749949 CEST	64135	53	192.168.2.9	1.1.1.1
Jul 3, 2024 16:27:07.503686905 CEST	53	64135	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 16:25:06.217000961 CEST	192.168.2.9	1.1.1.1	0x1243	Standard query (0)	cigarettewhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.255976915 CEST	192.168.2.9	1.1.1.1	0x7b89	Standard query (0)	childrenexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.287954092 CEST	192.168.2.9	1.1.1.1	0x20d6	Standard query (0)	familyexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.307213068 CEST	192.168.2.9	1.1.1.1	0x946	Standard query (0)	childrenbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.321113110 CEST	192.168.2.9	1.1.1.1	0x449a	Standard query (0)	familybridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.078269005 CEST	192.168.2.9	1.1.1.1	0xeb0d	Standard query (0)	childrenbicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.781563044 CEST	192.168.2.9	1.1.1.1	0xda3d	Standard query (0)	familybicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.794714928 CEST	192.168.2.9	1.1.1.1	0xa7d0	Standard query (0)	childrenwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.807764053 CEST	192.168.2.9	1.1.1.1	0x7e4d	Standard query (0)	familywhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.843740940 CEST	192.168.2.9	1.1.1.1	0xb2d6	Standard query (0)	eitherexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.861346006 CEST	192.168.2.9	1.1.1.1	0x5282	Standard query (0)	englishexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.051444054 CEST	192.168.2.9	1.1.1.1	0x21e6	Standard query (0)	eitherbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.063879013 CEST	192.168.2.9	1.1.1.1	0x1213	Standard query (0)	englishbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.807595015 CEST	192.168.2.9	1.1.1.1	0x484f	Standard query (0)	eitherbicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.913894892 CEST	192.168.2.9	1.1.1.1	0x8c2	Standard query (0)	englishbicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.929974079 CEST	192.168.2.9	1.1.1.1	0x603e	Standard query (0)	eitherwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.952191114 CEST	192.168.2.9	1.1.1.1	0xc971	Standard query (0)	englishwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.986469984 CEST	192.168.2.9	1.1.1.1	0x7e40	Standard query (0)	expectwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.024749041 CEST	192.168.2.9	1.1.1.1	0xf34f	Standard query (0)	becausewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.644687891 CEST	192.168.2.9	1.1.1.1	0x806a	Standard query (0)	expectwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.667761087 CEST	192.168.2.9	1.1.1.1	0x8c54	Standard query (0)	becausewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.681488991 CEST	192.168.2.9	1.1.1.1	0xab7a	Standard query (0)	expectkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.699515104 CEST	192.168.2.9	1.1.1.1	0x460	Standard query (0)	becausekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.740232944 CEST	192.168.2.9	1.1.1.1	0x5258	Standard query (0)	expectprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.759135008 CEST	192.168.2.9	1.1.1.1	0xed05	Standard query (0)	becauseprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.782394886 CEST	192.168.2.9	1.1.1.1	0x7523	Standard query (0)	personwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.801340103 CEST	192.168.2.9	1.1.1.1	0xd603	Standard query (0)	machinewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.815536022 CEST	192.168.2.9	1.1.1.1	0xc6b9	Standard query (0)	personwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.831847906 CEST	192.168.2.9	1.1.1.1	0x89ba	Standard query (0)	machinewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.848022938 CEST	192.168.2.9	1.1.1.1	0xe4e9	Standard query (0)	personkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.864439011 CEST	192.168.2.9	1.1.1.1	0x252	Standard query (0)	machinekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.880649090 CEST	192.168.2.9	1.1.1.1	0xc635	Standard query (0)	personprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.922848940 CEST	192.168.2.9	1.1.1.1	0xac1	Standard query (0)	machineprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.966681957 CEST	192.168.2.9	1.1.1.1	0xa272	Standard query (0)	suddenwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.982611895 CEST	192.168.2.9	1.1.1.1	0xf2c6	Standard query (0)	foreignwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.994848013 CEST	192.168.2.9	1.1.1.1	0x6e7d	Standard query (0)	suddenwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.029675961 CEST	192.168.2.9	1.1.1.1	0x9a85	Standard query (0)	foreignwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.045243025 CEST	192.168.2.9	1.1.1.1	0x94ed	Standard query (0)	suddenkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.079641104 CEST	192.168.2.9	1.1.1.1	0x57c	Standard query (0)	foreignkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.244896889 CEST	192.168.2.9	1.1.1.1	0xf6e4	Standard query (0)	suddenprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.258711100 CEST	192.168.2.9	1.1.1.1	0x665f	Standard query (0)	foreignprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.281012058 CEST	192.168.2.9	1.1.1.1	0xc588	Standard query (0)	whetherwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.293252945 CEST	192.168.2.9	1.1.1.1	0x1525	Standard query (0)	rightwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.312783003 CEST	192.168.2.9	1.1.1.1	0x122	Standard query (0)	whetherwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.325551987 CEST	192.168.2.9	1.1.1.1	0xaf50	Standard query (0)	rightwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.360167027 CEST	192.168.2.9	1.1.1.1	0xdfac	Standard query (0)	whetherkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.395510912 CEST	192.168.2.9	1.1.1.1	0xa368	Standard query (0)	rightkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.406749964 CEST	192.168.2.9	1.1.1.1	0x338	Standard query (0)	whetherprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.439693928 CEST	192.168.2.9	1.1.1.1	0xd126	Standard query (0)	rightprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.454468012 CEST	192.168.2.9	1.1.1.1	0xa3cf	Standard query (0)	figurewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.466686010 CEST	192.168.2.9	1.1.1.1	0xab27	Standard query (0)	thoughwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.502859116 CEST	192.168.2.9	1.1.1.1	0x3b41	Standard query (0)	figurewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.530448914 CEST	192.168.2.9	1.1.1.1	0xbb14	Standard query (0)	thoughwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.569191933 CEST	192.168.2.9	1.1.1.1	0x9b66	Standard query (0)	figurekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.618916035 CEST	192.168.2.9	1.1.1.1	0x9559	Standard query (0)	thoughkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.639703035 CEST	192.168.2.9	1.1.1.1	0x6d08	Standard query (0)	figureprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.712887049 CEST	192.168.2.9	1.1.1.1	0x55c2	Standard query (0)	thoughprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.576009035 CEST	192.168.2.9	1.1.1.1	0xdf6b	Standard query (0)	picturewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.589158058 CEST	192.168.2.9	1.1.1.1	0x6a14	Standard query (0)	cigarettewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.601869106 CEST	192.168.2.9	1.1.1.1	0xd8b4	Standard query (0)	picturewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.639400959 CEST	192.168.2.9	1.1.1.1	0xdd06	Standard query (0)	cigarettewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.653964996 CEST	192.168.2.9	1.1.1.1	0x3513	Standard query (0)	picturekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.669609070 CEST	192.168.2.9	1.1.1.1	0x5a22	Standard query (0)	cigarettekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.704051018 CEST	192.168.2.9	1.1.1.1	0xe9b3	Standard query (0)	pictureprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.720786095 CEST	192.168.2.9	1.1.1.1	0x8e5e	Standard query (0)	cigaretteprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.736274958 CEST	192.168.2.9	1.1.1.1	0x9ae9	Standard query (0)	childrenwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.752372026 CEST	192.168.2.9	1.1.1.1	0x502f	Standard query (0)	familywagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.767224073 CEST	192.168.2.9	1.1.1.1	0x7178	Standard query (0)	childrenwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.781418085 CEST	192.168.2.9	1.1.1.1	0x826a	Standard query (0)	familywithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.794683933 CEST	192.168.2.9	1.1.1.1	0xc3d5	Standard query (0)	childrenkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.807657957 CEST	192.168.2.9	1.1.1.1	0xf0e3	Standard query (0)	familykitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.462414980 CEST	192.168.2.9	1.1.1.1	0xd626	Standard query (0)	childrenprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.475157976 CEST	192.168.2.9	1.1.1.1	0xd953	Standard query (0)	familyprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.492074966 CEST	192.168.2.9	1.1.1.1	0xc3a1	Standard query (0)	eitherwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.504336119 CEST	192.168.2.9	1.1.1.1	0x997d	Standard query (0)	englishwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.519438028 CEST	192.168.2.9	1.1.1.1	0x69a5	Standard query (0)	eitherwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.532404900 CEST	192.168.2.9	1.1.1.1	0x26ce	Standard query (0)	englishwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.546211958 CEST	192.168.2.9	1.1.1.1	0x6da1	Standard query (0)	eitherkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.559139967 CEST	192.168.2.9	1.1.1.1	0xf1e	Standard query (0)	englishkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.802373886 CEST	192.168.2.9	1.1.1.1	0x6429	Standard query (0)	eitherprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.814699888 CEST	192.168.2.9	1.1.1.1	0x3867	Standard query (0)	englishprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.989948988 CEST	192.168.2.9	1.1.1.1	0x1cbb	Standard query (0)	expectwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.003647089 CEST	192.168.2.9	1.1.1.1	0x63ff	Standard query (0)	becausewelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.041743040 CEST	192.168.2.9	1.1.1.1	0x6db5	Standard query (0)	expectaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.068718910 CEST	192.168.2.9	1.1.1.1	0x3f4e	Standard query (0)	becausearound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.082515001 CEST	192.168.2.9	1.1.1.1	0xd820	Standard query (0)	expectproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.095719099 CEST	192.168.2.9	1.1.1.1	0x8fbb	Standard query (0)	becauseproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.108876944 CEST	192.168.2.9	1.1.1.1	0xb0d2	Standard query (0)	expectcomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.124260902 CEST	192.168.2.9	1.1.1.1	0x1fff	Standard query (0)	becausecomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.139921904 CEST	192.168.2.9	1.1.1.1	0x57e6	Standard query (0)	personwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.153696060 CEST	192.168.2.9	1.1.1.1	0x1189	Standard query (0)	machinewelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.189006090 CEST	192.168.2.9	1.1.1.1	0xd95c	Standard query (0)	personaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.352312088 CEST	192.168.2.9	1.1.1.1	0x104d	Standard query (0)	machinearound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.365633965 CEST	192.168.2.9	1.1.1.1	0x7174	Standard query (0)	personproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.376816988 CEST	192.168.2.9	1.1.1.1	0xd10	Standard query (0)	machineproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.422595024 CEST	192.168.2.9	1.1.1.1	0x46f0	Standard query (0)	personcomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.456782103 CEST	192.168.2.9	1.1.1.1	0xa137	Standard query (0)	machinecomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.490642071 CEST	192.168.2.9	1.1.1.1	0xa79a	Standard query (0)	suddenwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.503514051 CEST	192.168.2.9	1.1.1.1	0x3483	Standard query (0)	foreignwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.536942005 CEST	192.168.2.9	1.1.1.1	0xefeb	Standard query (0)	suddenaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.550395012 CEST	192.168.2.9	1.1.1.1	0x95ac	Standard query (0)	foreignaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.055119991 CEST	192.168.2.9	1.1.1.1	0x423	Standard query (0)	suddenproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.096117020 CEST	192.168.2.9	1.1.1.1	0x9c4a	Standard query (0)	foreignproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.132668972 CEST	192.168.2.9	1.1.1.1	0xef54	Standard query (0)	suddencomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.795618057 CEST	192.168.2.9	1.1.1.1	0x2c22	Standard query (0)	foreigncomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.831445932 CEST	192.168.2.9	1.1.1.1	0x7652	Standard query (0)	whetherwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.848093987 CEST	192.168.2.9	1.1.1.1	0x3478	Standard query (0)	rightwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.864875078 CEST	192.168.2.9	1.1.1.1	0x2891	Standard query (0)	whetheraround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.876702070 CEST	192.168.2.9	1.1.1.1	0x777f	Standard query (0)	rightaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.891978979 CEST	192.168.2.9	1.1.1.1	0x2f8	Standard query (0)	whetherproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.905280113 CEST	192.168.2.9	1.1.1.1	0xfa18	Standard query (0)	rightproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.943315983 CEST	192.168.2.9	1.1.1.1	0x2869	Standard query (0)	whethercomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.958231926 CEST	192.168.2.9	1.1.1.1	0x6865	Standard query (0)	rightcomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.991522074 CEST	192.168.2.9	1.1.1.1	0x4130	Standard query (0)	figurewelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.005408049 CEST	192.168.2.9	1.1.1.1	0x34a3	Standard query (0)	thoughwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.028386116 CEST	192.168.2.9	1.1.1.1	0xfcd2	Standard query (0)	figurearound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.070343018 CEST	192.168.2.9	1.1.1.1	0x5db6	Standard query (0)	thougharound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.083476067 CEST	192.168.2.9	1.1.1.1	0x1350	Standard query (0)	figureproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.120918989 CEST	192.168.2.9	1.1.1.1	0xfb6	Standard query (0)	thoughproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.182214975 CEST	192.168.2.9	1.1.1.1	0x491d	Standard query (0)	figurecomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.221627951 CEST	192.168.2.9	1.1.1.1	0x21e0	Standard query (0)	thoughcomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.260178089 CEST	192.168.2.9	1.1.1.1	0x19e9	Standard query (0)	picturewelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.330029011 CEST	192.168.2.9	1.1.1.1	0x897f	Standard query (0)	cigarettewelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.348500013 CEST	192.168.2.9	1.1.1.1	0x2955	Standard query (0)	picturearound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.483491898 CEST	192.168.2.9	1.1.1.1	0xb06e	Standard query (0)	cigarettearound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.763927937 CEST	192.168.2.9	1.1.1.1	0xd243	Standard query (0)	pictureproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.785393953 CEST	192.168.2.9	1.1.1.1	0xdcab	Standard query (0)	cigaretteproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.863065958 CEST	192.168.2.9	1.1.1.1	0xa221	Standard query (0)	picturecomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.885308981 CEST	192.168.2.9	1.1.1.1	0xebf8	Standard query (0)	cigarettecomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.899547100 CEST	192.168.2.9	1.1.1.1	0x547c	Standard query (0)	childrenwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.963870049 CEST	192.168.2.9	1.1.1.1	0x3fb2	Standard query (0)	familywelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.979355097 CEST	192.168.2.9	1.1.1.1	0x70a3	Standard query (0)	childrenaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.996009111 CEST	192.168.2.9	1.1.1.1	0x1baf	Standard query (0)	familyaround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.033920050 CEST	192.168.2.9	1.1.1.1	0xbf9d	Standard query (0)	childrenproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.047750950 CEST	192.168.2.9	1.1.1.1	0x9d7a	Standard query (0)	familyproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.082130909 CEST	192.168.2.9	1.1.1.1	0x10e8	Standard query (0)	childrencomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.117583036 CEST	192.168.2.9	1.1.1.1	0x1e3e	Standard query (0)	familycomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.160420895 CEST	192.168.2.9	1.1.1.1	0x78d8	Standard query (0)	eitherwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.177962065 CEST	192.168.2.9	1.1.1.1	0xc50f	Standard query (0)	englishwelcome.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.196516037 CEST	192.168.2.9	1.1.1.1	0xdc32	Standard query (0)	eitheraround.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.217164040 CEST	192.168.2.9	1.1.1.1	0x669d	Standard query (0)	englisharound.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.259691000 CEST	192.168.2.9	1.1.1.1	0xba62	Standard query (0)	eitherproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.299428940 CEST	192.168.2.9	1.1.1.1	0x6719	Standard query (0)	englishproud.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.980318069 CEST	192.168.2.9	1.1.1.1	0xa3a7	Standard query (0)	eithercomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.994839907 CEST	192.168.2.9	1.1.1.1	0xe36d	Standard query (0)	englishcomplete.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.034437895 CEST	192.168.2.9	1.1.1.1	0x5a0a	Standard query (0)	expectnature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.046109915 CEST	192.168.2.9	1.1.1.1	0x334	Standard query (0)	becausenature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.059003115 CEST	192.168.2.9	1.1.1.1	0xce4d	Standard query (0)	expectneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.071858883 CEST	192.168.2.9	1.1.1.1	0xa396	Standard query (0)	becauseneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.084405899 CEST	192.168.2.9	1.1.1.1	0x69dc	Standard query (0)	expectenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.098229885 CEST	192.168.2.9	1.1.1.1	0xf4b2	Standard query (0)	becauseenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.112164021 CEST	192.168.2.9	1.1.1.1	0xb7ba	Standard query (0)	expectgovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.124867916 CEST	192.168.2.9	1.1.1.1	0xdce7	Standard query (0)	becausegovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.169692993 CEST	192.168.2.9	1.1.1.1	0x1842	Standard query (0)	personnature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.213799000 CEST	192.168.2.9	1.1.1.1	0x8aff	Standard query (0)	machinenature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.236237049 CEST	192.168.2.9	1.1.1.1	0xaa37	Standard query (0)	personneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.247910976 CEST	192.168.2.9	1.1.1.1	0x473	Standard query (0)	machineneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.260085106 CEST	192.168.2.9	1.1.1.1	0x1f4c	Standard query (0)	personenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.272860050 CEST	192.168.2.9	1.1.1.1	0x74cb	Standard query (0)	machineenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.285468102 CEST	192.168.2.9	1.1.1.1	0xbd7e	Standard query (0)	persongovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.298077106 CEST	192.168.2.9	1.1.1.1	0xf8e4	Standard query (0)	machinegovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.331574917 CEST	192.168.2.9	1.1.1.1	0xb7a8	Standard query (0)	suddennature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.369960070 CEST	192.168.2.9	1.1.1.1	0x15f3	Standard query (0)	foreignnature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.384216070 CEST	192.168.2.9	1.1.1.1	0xb772	Standard query (0)	suddenneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.419152021 CEST	192.168.2.9	1.1.1.1	0x9372	Standard query (0)	foreignneedle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.430969954 CEST	192.168.2.9	1.1.1.1	0xedc1	Standard query (0)	suddenenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.442953110 CEST	192.168.2.9	1.1.1.1	0x9cfc	Standard query (0)	foreignenough.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.477493048 CEST	192.168.2.9	1.1.1.1	0x90db	Standard query (0)	suddengovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.512526989 CEST	192.168.2.9	1.1.1.1	0x7a03	Standard query (0)	foreigngovern.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.529915094 CEST	192.168.2.9	1.1.1.1	0xbf0e	Standard query (0)	whethernature.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:29.516648054 CEST	192.168.2.9	1.1.1.1	0x9e14	Standard query (0)	childrenexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:30.534249067 CEST	192.168.2.9	1.1.1.1	0xac53	Standard query (0)	familyexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:31.583745956 CEST	192.168.2.9	1.1.1.1	0x6f56	Standard query (0)	childrenbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:35.924891949 CEST	192.168.2.9	1.1.1.1	0x5dd6	Standard query (0)	familybicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:36.993959904 CEST	192.168.2.9	1.1.1.1	0xb805	Standard query (0)	childrenwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:38.086585045 CEST	192.168.2.9	1.1.1.1	0xfffc	Standard query (0)	familywhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:39.112385988 CEST	192.168.2.9	1.1.1.1	0xae7	Standard query (0)	eitherexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:40.128107071 CEST	192.168.2.9	1.1.1.1	0x4dc5	Standard query (0)	englishexcept.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:41.145780087 CEST	192.168.2.9	1.1.1.1	0x6f80	Standard query (0)	eitherbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:42.174659967 CEST	192.168.2.9	1.1.1.1	0xd016	Standard query (0)	englishbridge.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:43.987900019 CEST	192.168.2.9	1.1.1.1	0xb195	Standard query (0)	eitherbicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:45.034394979 CEST	192.168.2.9	1.1.1.1	0xc154	Standard query (0)	englishbicycle.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:46.081134081 CEST	192.168.2.9	1.1.1.1	0x2b81	Standard query (0)	eitherwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:47.127976894 CEST	192.168.2.9	1.1.1.1	0x6ec6	Standard query (0)	englishwhose.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:48.143599033 CEST	192.168.2.9	1.1.1.1	0x54bf	Standard query (0)	expectwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:50.628057003 CEST	192.168.2.9	1.1.1.1	0x73ea	Standard query (0)	expectwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:51.643558979 CEST	192.168.2.9	1.1.1.1	0x402c	Standard query (0)	becausewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:52.691670895 CEST	192.168.2.9	1.1.1.1	0x8f93	Standard query (0)	expectkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:53.723493099 CEST	192.168.2.9	1.1.1.1	0x16a5	Standard query (0)	becausekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:54.737531900 CEST	192.168.2.9	1.1.1.1	0x18ec	Standard query (0)	expectprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:55.784651041 CEST	192.168.2.9	1.1.1.1	0x35dc	Standard query (0)	becauseprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:56.815742970 CEST	192.168.2.9	1.1.1.1	0x9a4c	Standard query (0)	personwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:57.846931934 CEST	192.168.2.9	1.1.1.1	0x120c	Standard query (0)	machinewagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:58.862442017 CEST	192.168.2.9	1.1.1.1	0x8916	Standard query (0)	personwithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:59.909460068 CEST	192.168.2.9	1.1.1.1	0xac02	Standard query (0)	machinewithout.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:00.925097942 CEST	192.168.2.9	1.1.1.1	0xc8f7	Standard query (0)	personkitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:01.987734079 CEST	192.168.2.9	1.1.1.1	0x2520	Standard query (0)	machinekitchen.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:03.034455061 CEST	192.168.2.9	1.1.1.1	0xbf72	Standard query (0)	personprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:04.049820900 CEST	192.168.2.9	1.1.1.1	0xb18a	Standard query (0)	machineprobable.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:05.037502050 CEST	192.168.2.9	1.1.1.1	0xe9e8	Standard query (0)	suddenwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:06.222018957 CEST	192.168.2.9	1.1.1.1	0x206d	Standard query (0)	foreignwagon.net	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:07.472749949 CEST	192.168.2.9	1.1.1.1	0x24ee	Standard query (0)	suddenwithout.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 16:25:06.253391027 CEST	1.1.1.1	192.168.2.9	0x1243	Name error (3)	cigarettewhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.285578966 CEST	1.1.1.1	192.168.2.9	0x7b89	Name error (3)	childrenexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.305331945 CEST	1.1.1.1	192.168.2.9	0x20d6	Name error (3)	familyexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.319344044 CEST	1.1.1.1	192.168.2.9	0x946	Name error (3)	childrenbridge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:06.445929050 CEST	1.1.1.1	192.168.2.9	0x449a	No error (0)	familybridge.net		77.247.183.155	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.111421108 CEST	1.1.1.1	192.168.2.9	0xeb0d	No error (0)	childrenbicycle.net		217.70.152.246	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.792998075 CEST	1.1.1.1	192.168.2.9	0xda3d	Name error (3)	familybicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.806257010 CEST	1.1.1.1	192.168.2.9	0xa7d0	Name error (3)	childrenwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.842143059 CEST	1.1.1.1	192.168.2.9	0x7e4d	Name error (3)	familywhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:07.857767105 CEST	1.1.1.1	192.168.2.9	0xb2d6	Name error (3)	eitherexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.049510956 CEST	1.1.1.1	192.168.2.9	0x5282	Name error (3)	englishexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.062391043 CEST	1.1.1.1	192.168.2.9	0x21e6	Name error (3)	eitherbridge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.258346081 CEST	1.1.1.1	192.168.2.9	0x1213	No error (0)	englishbridge.net	traff-5.hugedomains.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 16:25:08.258346081 CEST	1.1.1.1	192.168.2.9	0x1213	No error (0)	traff-5.hugedomains.com	hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 16:25:08.258346081 CEST	1.1.1.1	192.168.2.9	0x1213	No error (0)	hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com		34.205.242.146	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.258346081 CEST	1.1.1.1	192.168.2.9	0x1213	No error (0)	hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com		54.161.222.85	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.844233036 CEST	1.1.1.1	192.168.2.9	0x484f	Name error (3)	eitherbicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.925051928 CEST	1.1.1.1	192.168.2.9	0x8c2	Name error (3)	englishbicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.947102070 CEST	1.1.1.1	192.168.2.9	0x603e	Name error (3)	eitherwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:08.984375000 CEST	1.1.1.1	192.168.2.9	0xc971	Name error (3)	englishwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.020395994 CEST	1.1.1.1	192.168.2.9	0x7e40	Name error (3)	expectwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.148452044 CEST	1.1.1.1	192.168.2.9	0xf34f	No error (0)	becausewagon.net		15.197.192.55	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.665468931 CEST	1.1.1.1	192.168.2.9	0x806a	Name error (3)	expectwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.679419994 CEST	1.1.1.1	192.168.2.9	0x8c54	Name error (3)	becausewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.697419882 CEST	1.1.1.1	192.168.2.9	0xab7a	Name error (3)	expectkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.738415956 CEST	1.1.1.1	192.168.2.9	0x460	Name error (3)	becausekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.757539034 CEST	1.1.1.1	192.168.2.9	0x5258	Name error (3)	expectprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.780802965 CEST	1.1.1.1	192.168.2.9	0xed05	Name error (3)	becauseprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.799432993 CEST	1.1.1.1	192.168.2.9	0x7523	Name error (3)	personwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.813807964 CEST	1.1.1.1	192.168.2.9	0xd603	Name error (3)	machinewagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.830101013 CEST	1.1.1.1	192.168.2.9	0xc6b9	Name error (3)	personwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.846332073 CEST	1.1.1.1	192.168.2.9	0x89ba	Name error (3)	machinewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.862040997 CEST	1.1.1.1	192.168.2.9	0xe4e9	Name error (3)	personkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.876540899 CEST	1.1.1.1	192.168.2.9	0x252	Name error (3)	machinekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.918864965 CEST	1.1.1.1	192.168.2.9	0xc635	Name error (3)	personprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.964055061 CEST	1.1.1.1	192.168.2.9	0xac1	Name error (3)	machineprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.980309963 CEST	1.1.1.1	192.168.2.9	0xa272	Name error (3)	suddenwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:09.993161917 CEST	1.1.1.1	192.168.2.9	0xf2c6	Name error (3)	foreignwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.027920961 CEST	1.1.1.1	192.168.2.9	0x6e7d	Name error (3)	suddenwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.040844917 CEST	1.1.1.1	192.168.2.9	0x9a85	Name error (3)	foreignwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.077879906 CEST	1.1.1.1	192.168.2.9	0x94ed	Name error (3)	suddenkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.243143082 CEST	1.1.1.1	192.168.2.9	0x57c	Name error (3)	foreignkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.256942034 CEST	1.1.1.1	192.168.2.9	0xf6e4	Name error (3)	suddenprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.269422054 CEST	1.1.1.1	192.168.2.9	0x665f	Name error (3)	foreignprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.291575909 CEST	1.1.1.1	192.168.2.9	0xc588	Name error (3)	whetherwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.311326981 CEST	1.1.1.1	192.168.2.9	0x1525	Name error (3)	rightwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.324012041 CEST	1.1.1.1	192.168.2.9	0x122	Name error (3)	whetherwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.358690977 CEST	1.1.1.1	192.168.2.9	0xaf50	Name error (3)	rightwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.393872976 CEST	1.1.1.1	192.168.2.9	0xdfac	Name error (3)	whetherkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.405354023 CEST	1.1.1.1	192.168.2.9	0xa368	Name error (3)	rightkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.438163042 CEST	1.1.1.1	192.168.2.9	0x338	Name error (3)	whetherprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.453008890 CEST	1.1.1.1	192.168.2.9	0xd126	Name error (3)	rightprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.465358973 CEST	1.1.1.1	192.168.2.9	0xa3cf	Name error (3)	figurewagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.501131058 CEST	1.1.1.1	192.168.2.9	0xab27	Name error (3)	thoughwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:10.730304956 CEST	1.1.1.1	192.168.2.9	0x3b41	No error (0)	figurewithout.net		34.246.200.160	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.540745974 CEST	1.1.1.1	192.168.2.9	0xbb14	Name error (3)	thoughwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.579854012 CEST	1.1.1.1	192.168.2.9	0x9b66	Name error (3)	figurekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.636565924 CEST	1.1.1.1	192.168.2.9	0x9559	Name error (3)	thoughkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:11.650479078 CEST	1.1.1.1	192.168.2.9	0x6d08	Name error (3)	figureprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.053702116 CEST	1.1.1.1	192.168.2.9	0x55c2	No error (0)	thoughprobable.net		3.94.10.34	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.587584019 CEST	1.1.1.1	192.168.2.9	0xdf6b	Name error (3)	picturewagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.600172043 CEST	1.1.1.1	192.168.2.9	0x6a14	Name error (3)	cigarettewagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.637597084 CEST	1.1.1.1	192.168.2.9	0xd8b4	Name error (3)	picturewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.652065039 CEST	1.1.1.1	192.168.2.9	0xdd06	Name error (3)	cigarettewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.667777061 CEST	1.1.1.1	192.168.2.9	0x3513	Name error (3)	picturekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.702280045 CEST	1.1.1.1	192.168.2.9	0x5a22	Name error (3)	cigarettekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.716181993 CEST	1.1.1.1	192.168.2.9	0xe9b3	Name error (3)	pictureprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.734568119 CEST	1.1.1.1	192.168.2.9	0x8e5e	Name error (3)	cigaretteprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.750417948 CEST	1.1.1.1	192.168.2.9	0x9ae9	Name error (3)	childrenwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.765538931 CEST	1.1.1.1	192.168.2.9	0x502f	Name error (3)	familywagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.780000925 CEST	1.1.1.1	192.168.2.9	0x7178	Name error (3)	childrenwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.793025017 CEST	1.1.1.1	192.168.2.9	0x826a	Name error (3)	familywithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.806241035 CEST	1.1.1.1	192.168.2.9	0xc3d5	Name error (3)	childrenkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:12.822397947 CEST	1.1.1.1	192.168.2.9	0xf0e3	No error (0)	familykitchen.net		3.64.163.50	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.473468065 CEST	1.1.1.1	192.168.2.9	0xd626	Name error (3)	childrenprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.488861084 CEST	1.1.1.1	192.168.2.9	0xd953	Name error (3)	familyprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.502465963 CEST	1.1.1.1	192.168.2.9	0xc3a1	Name error (3)	eitherwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.517487049 CEST	1.1.1.1	192.168.2.9	0x997d	Name error (3)	englishwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.530690908 CEST	1.1.1.1	192.168.2.9	0x69a5	Name error (3)	eitherwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.544446945 CEST	1.1.1.1	192.168.2.9	0x26ce	Name error (3)	englishwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.557400942 CEST	1.1.1.1	192.168.2.9	0x6da1	Name error (3)	eitherkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.800492048 CEST	1.1.1.1	192.168.2.9	0xf1e	Server failure (2)	englishkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.813149929 CEST	1.1.1.1	192.168.2.9	0x6429	Name error (3)	eitherprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:13.987874031 CEST	1.1.1.1	192.168.2.9	0x3867	Name error (3)	englishprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.001894951 CEST	1.1.1.1	192.168.2.9	0x1cbb	Name error (3)	expectwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.039594889 CEST	1.1.1.1	192.168.2.9	0x63ff	Name error (3)	becausewelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.055284977 CEST	1.1.1.1	192.168.2.9	0x6db5	Name error (3)	expectaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.080569983 CEST	1.1.1.1	192.168.2.9	0x3f4e	Name error (3)	becausearound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.093898058 CEST	1.1.1.1	192.168.2.9	0xd820	Name error (3)	expectproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.107194901 CEST	1.1.1.1	192.168.2.9	0x8fbb	Name error (3)	becauseproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.122409105 CEST	1.1.1.1	192.168.2.9	0xb0d2	Name error (3)	expectcomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.138154984 CEST	1.1.1.1	192.168.2.9	0x1fff	Name error (3)	becausecomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.151803970 CEST	1.1.1.1	192.168.2.9	0x57e6	Name error (3)	personwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.186995983 CEST	1.1.1.1	192.168.2.9	0x1189	Name error (3)	machinewelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.350353956 CEST	1.1.1.1	192.168.2.9	0xd95c	Name error (3)	personaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.363970995 CEST	1.1.1.1	192.168.2.9	0x104d	Name error (3)	machinearound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.374886990 CEST	1.1.1.1	192.168.2.9	0x7174	Name error (3)	personproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.410768986 CEST	1.1.1.1	192.168.2.9	0xd10	Name error (3)	machineproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.454862118 CEST	1.1.1.1	192.168.2.9	0x46f0	Name error (3)	personcomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.488595009 CEST	1.1.1.1	192.168.2.9	0xa137	Name error (3)	machinecomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.501802921 CEST	1.1.1.1	192.168.2.9	0xa79a	Name error (3)	suddenwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.535294056 CEST	1.1.1.1	192.168.2.9	0x3483	Name error (3)	foreignwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:14.548598051 CEST	1.1.1.1	192.168.2.9	0xefeb	Name error (3)	suddenaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.093847036 CEST	1.1.1.1	192.168.2.9	0x423	Name error (3)	suddenproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.130868912 CEST	1.1.1.1	192.168.2.9	0x9c4a	Name error (3)	foreignproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.324371099 CEST	1.1.1.1	192.168.2.9	0xef54	No error (0)	suddencomplete.net		15.197.192.55	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.829595089 CEST	1.1.1.1	192.168.2.9	0x2c22	Name error (3)	foreigncomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.846520901 CEST	1.1.1.1	192.168.2.9	0x7652	Name error (3)	whetherwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.863198996 CEST	1.1.1.1	192.168.2.9	0x3478	Name error (3)	rightwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.875050068 CEST	1.1.1.1	192.168.2.9	0x2891	Name error (3)	whetheraround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.890347004 CEST	1.1.1.1	192.168.2.9	0x777f	Name error (3)	rightaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.903541088 CEST	1.1.1.1	192.168.2.9	0x2f8	Name error (3)	whetherproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.941421032 CEST	1.1.1.1	192.168.2.9	0xfa18	Name error (3)	rightproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.956147909 CEST	1.1.1.1	192.168.2.9	0x2869	Name error (3)	whethercomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:15.988923073 CEST	1.1.1.1	192.168.2.9	0x6865	Name error (3)	rightcomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.002913952 CEST	1.1.1.1	192.168.2.9	0x4130	Name error (3)	figurewelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.026571989 CEST	1.1.1.1	192.168.2.9	0x34a3	Name error (3)	thoughwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.068541050 CEST	1.1.1.1	192.168.2.9	0xfcd2	Name error (3)	figurearound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.081854105 CEST	1.1.1.1	192.168.2.9	0x5db6	Name error (3)	thougharound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.119196892 CEST	1.1.1.1	192.168.2.9	0x1350	Name error (3)	figureproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.130873919 CEST	1.1.1.1	192.168.2.9	0xfb6	Name error (3)	thoughproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.219600916 CEST	1.1.1.1	192.168.2.9	0x491d	Name error (3)	figurecomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.240552902 CEST	1.1.1.1	192.168.2.9	0x21e0	Name error (3)	thoughcomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.300692081 CEST	1.1.1.1	192.168.2.9	0x19e9	Name error (3)	picturewelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.342495918 CEST	1.1.1.1	192.168.2.9	0x897f	Name error (3)	cigarettewelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.387286901 CEST	1.1.1.1	192.168.2.9	0x2955	Name error (3)	picturearound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.644709110 CEST	1.1.1.1	192.168.2.9	0xb06e	Name error (3)	cigarettearound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.776568890 CEST	1.1.1.1	192.168.2.9	0xd243	Name error (3)	pictureproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.802715063 CEST	1.1.1.1	192.168.2.9	0xdcab	Name error (3)	cigaretteproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.876898050 CEST	1.1.1.1	192.168.2.9	0xa221	Name error (3)	picturecomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.897619963 CEST	1.1.1.1	192.168.2.9	0xebf8	Name error (3)	cigarettecomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.976881027 CEST	1.1.1.1	192.168.2.9	0x3fb2	Name error (3)	familywelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:16.994211912 CEST	1.1.1.1	192.168.2.9	0x70a3	Name error (3)	childrenaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.031486988 CEST	1.1.1.1	192.168.2.9	0x1baf	Name error (3)	familyaround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.045923948 CEST	1.1.1.1	192.168.2.9	0xbf9d	Name error (3)	childrenproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.080251932 CEST	1.1.1.1	192.168.2.9	0x9d7a	Name error (3)	familyproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.115845919 CEST	1.1.1.1	192.168.2.9	0x10e8	Name error (3)	childrencomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.158632994 CEST	1.1.1.1	192.168.2.9	0x1e3e	Server failure (2)	familycomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.175389051 CEST	1.1.1.1	192.168.2.9	0x78d8	Name error (3)	eitherwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.194595098 CEST	1.1.1.1	192.168.2.9	0xc50f	Name error (3)	englishwelcome.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.215374947 CEST	1.1.1.1	192.168.2.9	0xdc32	Name error (3)	eitheraround.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.257915020 CEST	1.1.1.1	192.168.2.9	0x669d	Name error (3)	englisharound.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.297178984 CEST	1.1.1.1	192.168.2.9	0xba62	Name error (3)	eitherproud.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.492176056 CEST	1.1.1.1	192.168.2.9	0x6719	No error (0)	englishproud.net		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:17.992765903 CEST	1.1.1.1	192.168.2.9	0xa3a7	Name error (3)	eithercomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.031923056 CEST	1.1.1.1	192.168.2.9	0xe36d	Name error (3)	englishcomplete.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.044241905 CEST	1.1.1.1	192.168.2.9	0x5a0a	Name error (3)	expectnature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.057113886 CEST	1.1.1.1	192.168.2.9	0x334	Name error (3)	becausenature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.070384026 CEST	1.1.1.1	192.168.2.9	0xce4d	Name error (3)	expectneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.082859993 CEST	1.1.1.1	192.168.2.9	0xa396	Name error (3)	becauseneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.096426964 CEST	1.1.1.1	192.168.2.9	0x69dc	Name error (3)	expectenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.109922886 CEST	1.1.1.1	192.168.2.9	0xf4b2	Name error (3)	becauseenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.123245001 CEST	1.1.1.1	192.168.2.9	0xb7ba	Name error (3)	expectgovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.167887926 CEST	1.1.1.1	192.168.2.9	0xdce7	Name error (3)	becausegovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.211970091 CEST	1.1.1.1	192.168.2.9	0x1842	Name error (3)	personnature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.224261045 CEST	1.1.1.1	192.168.2.9	0x8aff	Name error (3)	machinenature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.246360064 CEST	1.1.1.1	192.168.2.9	0xaa37	Name error (3)	personneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.258451939 CEST	1.1.1.1	192.168.2.9	0x473	Name error (3)	machineneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.271354914 CEST	1.1.1.1	192.168.2.9	0x1f4c	Name error (3)	personenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.283926964 CEST	1.1.1.1	192.168.2.9	0x74cb	Name error (3)	machineenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.296581984 CEST	1.1.1.1	192.168.2.9	0xbd7e	Name error (3)	persongovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.329875946 CEST	1.1.1.1	192.168.2.9	0xf8e4	Name error (3)	machinegovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.368216038 CEST	1.1.1.1	192.168.2.9	0xb7a8	Name error (3)	suddennature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.382544994 CEST	1.1.1.1	192.168.2.9	0x15f3	Name error (3)	foreignnature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.417275906 CEST	1.1.1.1	192.168.2.9	0xb772	Name error (3)	suddenneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.429472923 CEST	1.1.1.1	192.168.2.9	0x9372	Name error (3)	foreignneedle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.441572905 CEST	1.1.1.1	192.168.2.9	0xedc1	Name error (3)	suddenenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.475796938 CEST	1.1.1.1	192.168.2.9	0x9cfc	Name error (3)	foreignenough.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.510767937 CEST	1.1.1.1	192.168.2.9	0x90db	Name error (3)	suddengovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.523902893 CEST	1.1.1.1	192.168.2.9	0x7a03	Name error (3)	foreigngovern.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:25:18.564040899 CEST	1.1.1.1	192.168.2.9	0xbf0e	Name error (3)	whethernature.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:29.530050993 CEST	1.1.1.1	192.168.2.9	0x9e14	Name error (3)	childrenexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:30.569996119 CEST	1.1.1.1	192.168.2.9	0xac53	Name error (3)	familyexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:31.594618082 CEST	1.1.1.1	192.168.2.9	0x6f56	Name error (3)	childrenbridge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:35.940006018 CEST	1.1.1.1	192.168.2.9	0x5dd6	Name error (3)	familybicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:37.033535957 CEST	1.1.1.1	192.168.2.9	0xb805	Name error (3)	childrenwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:38.099987030 CEST	1.1.1.1	192.168.2.9	0xfffc	Name error (3)	familywhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:39.125189066 CEST	1.1.1.1	192.168.2.9	0xae7	Name error (3)	eitherexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:40.138305902 CEST	1.1.1.1	192.168.2.9	0x4dc5	Name error (3)	englishexcept.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:41.158582926 CEST	1.1.1.1	192.168.2.9	0x6f80	Name error (3)	eitherbridge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:42.421264887 CEST	1.1.1.1	192.168.2.9	0xd016	No error (0)	englishbridge.net	traff-4.hugedomains.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 16:26:42.421264887 CEST	1.1.1.1	192.168.2.9	0xd016	No error (0)	traff-4.hugedomains.com	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 16:26:42.421264887 CEST	1.1.1.1	192.168.2.9	0xd016	No error (0)	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		52.86.6.113	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:42.421264887 CEST	1.1.1.1	192.168.2.9	0xd016	No error (0)	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		3.94.41.167	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:44.020303965 CEST	1.1.1.1	192.168.2.9	0xb195	Name error (3)	eitherbicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:45.067116976 CEST	1.1.1.1	192.168.2.9	0xc154	Name error (3)	englishbicycle.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:46.113507032 CEST	1.1.1.1	192.168.2.9	0x2b81	Name error (3)	eitherwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:47.138248920 CEST	1.1.1.1	192.168.2.9	0x6ec6	Name error (3)	englishwhose.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:48.154412985 CEST	1.1.1.1	192.168.2.9	0x54bf	Name error (3)	expectwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:50.639619112 CEST	1.1.1.1	192.168.2.9	0x73ea	Name error (3)	expectwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:51.682506084 CEST	1.1.1.1	192.168.2.9	0x402c	Name error (3)	becausewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:52.708215952 CEST	1.1.1.1	192.168.2.9	0x8f93	Name error (3)	expectkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:53.734694004 CEST	1.1.1.1	192.168.2.9	0x16a5	Name error (3)	becausekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:54.771321058 CEST	1.1.1.1	192.168.2.9	0x18ec	Name error (3)	expectprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:55.797661066 CEST	1.1.1.1	192.168.2.9	0x35dc	Name error (3)	becauseprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:56.829003096 CEST	1.1.1.1	192.168.2.9	0x9a4c	Name error (3)	personwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:57.858639002 CEST	1.1.1.1	192.168.2.9	0x120c	Name error (3)	machinewagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:58.895886898 CEST	1.1.1.1	192.168.2.9	0x8916	Name error (3)	personwithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:26:59.922218084 CEST	1.1.1.1	192.168.2.9	0xac02	Name error (3)	machinewithout.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:00.936748028 CEST	1.1.1.1	192.168.2.9	0xc8f7	Name error (3)	personkitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:02.000338078 CEST	1.1.1.1	192.168.2.9	0x2520	Name error (3)	machinekitchen.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:03.046812057 CEST	1.1.1.1	192.168.2.9	0xbf72	Name error (3)	personprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:04.060755014 CEST	1.1.1.1	192.168.2.9	0xb18a	Name error (3)	machineprobable.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:05.272229910 CEST	1.1.1.1	192.168.2.9	0xe9e8	Name error (3)	suddenwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:06.464262962 CEST	1.1.1.1	192.168.2.9	0x206d	Name error (3)	foreignwagon.net	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:27:07.503686905 CEST	1.1.1.1	192.168.2.9	0x24ee	Name error (3)	suddenwithout.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

familybridge.net

childrenbicycle.net

englishbridge.net

becausewagon.net

figurewithout.net

thoughprobable.net

familykitchen.net

suddencomplete.net

englishproud.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	77.247.183.155	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:06.455530882 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: familybridge.net
Jul 3, 2024 16:25:07.076055050 CEST	934	IN	HTTP/1.1 200 OK accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile cache-control: max-age=0, private, must-revalidate connection: close content-length: 486 content-type: text/html; charset=utf-8 date: Wed, 03 Jul 2024 14:25:06 GMT server: nginx set-cookie: sid=0bc89109-3948-11ef-ac20-7360233376bf; path=/; domain=.familybridge.net; expires=Mon, 21 Jul 2092 17:39:13 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 66 61 6d 69 6c 79 62 72 69 64 67 65 2e 6e 65 74 2f 69 6e 64 65 78 2e 70 68 70 3f 63 68 3d 31 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 63 79 4d 44 41 79 4d 7a 6b 77 4e 69 77 69 61 57 46 30 49 6a 6f 78 4e 7a 49 77 4d 44 45 32 4e 7a 41 32 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 64 6d 5a 69 61 7a 55 33 63 6e 52 6b 61 57 78 70 61 33 4a 6f 63 7a 67 77 4d 32 4a 30 5a 32 55 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 33 4d 6a 41 77 4d [TRUNCATED] Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcyMDAyMzkwNiwiaWF0IjoxNzIwMDE2NzA2LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydmZiazU3cnRkaWxpa3JoczgwM2J0Z2UiLCJuYmYiOjE3MjAwMTY3MDYsInRzIjoxNzIwMDE2NzA2OTkwNjc0fQ.yTFpJlWrUq5fKoqe_c8nAxKAMssavYDpYWJvRbruSS0&sid=0bc89109-3948-11ef-ac20-7360233376bf');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49707	217.70.152.246	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:07.118458986 CEST	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: childrenbicycle.net
Jul 3, 2024 16:25:07.779202938 CEST	189	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Wed, 03 Jul 2024 14:25:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Location: http://www.dinobikes.com/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49708	34.205.242.146	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:08.285001040 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: englishbridge.net
Jul 3, 2024 16:25:08.759010077 CEST	175	IN	HTTP/1.1 302 Found content-length: 0 date: Wed, 03 Jul 2024 14:25:07 GMT location: https://www.hugedomains.com/domain_profile.cfm?d=englishbridge.net connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49709	15.197.192.55	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:09.157824039 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: becausewagon.net
Jul 3, 2024 16:25:09.642329931 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 03 Jul 2024 14:25:09 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49710	34.246.200.160	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:10.736298084 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: figurewithout.net
Jul 3, 2024 16:25:11.482211113 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 03 Jul 2024 14:25:11 GMT Content-Type: text/html Connection: close Set-Cookie: btst=df51d5ea411bfc5e3619a916bfb8dee1\|8.46.123.33\|1720016711\|1720016711\|0\|1\|0; path=/; domain=.figurewithout.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49711	3.94.10.34	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:12.059690952 CEST	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughprobable.net
Jul 3, 2024 16:25:12.567883968 CEST	383	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 03 Jul 2024 14:25:12 GMT Content-Type: text/html Connection: close Set-Cookie: btst=ce6a535fa54f14cee0309e132a31bedb\|8.46.123.33\|1720016712\|1720016712\|0\|1\|0; path=/; domain=.thoughprobable.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49712	3.64.163.50	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:12.828120947 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: familykitchen.net
Jul 3, 2024 16:25:13.460616112 CEST	282	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 03 Jul 2024 14:25:13 GMT Content-Type: text/html Content-Length: 140 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	53874	15.197.192.55	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:15.330446959 CEST	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: suddencomplete.net
Jul 3, 2024 16:25:15.786873102 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 03 Jul 2024 14:25:15 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	53875	44.221.84.105	80	660	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:25:17.504784107 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: englishproud.net
Jul 3, 2024 16:25:17.978034973 CEST	381	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 03 Jul 2024 14:25:17 GMT Content-Type: text/html Connection: close Set-Cookie: btst=7db54359d5376239f14ee540ec927a03\|8.46.123.33\|1720016717\|1720016717\|0\|1\|0; path=/; domain=.englishproud.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	53879	77.247.183.155	80	4536	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:26:32.618956089 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: familybridge.net
Jul 3, 2024 16:26:33.227963924 CEST	934	IN	HTTP/1.1 200 OK accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile cache-control: max-age=0, private, must-revalidate connection: close content-length: 486 content-type: text/html; charset=utf-8 date: Wed, 03 Jul 2024 14:26:32 GMT server: nginx set-cookie: sid=3f2227a7-3948-11ef-8d95-7360f1e2d8e1; path=/; domain=.familybridge.net; expires=Mon, 21 Jul 2092 17:40:40 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 66 61 6d 69 6c 79 62 72 69 64 67 65 2e 6e 65 74 2f 69 6e 64 65 78 2e 70 68 70 3f 63 68 3d 31 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 63 79 4d 44 41 79 4d 7a 6b 35 4d 79 77 69 61 57 46 30 49 6a 6f 78 4e 7a 49 77 4d 44 45 32 4e 7a 6b 7a 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 64 6d 5a 69 61 32 45 34 59 58 4e 6c 59 6d 4a 6c 4d 48 4e 76 4e 6a 41 77 4d 6d 4e 6f 4e 47 67 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 33 4d 6a 41 77 4d [TRUNCATED] Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcyMDAyMzk5MywiaWF0IjoxNzIwMDE2NzkzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydmZia2E4YXNlYmJlMHNvNjAwMmNoNGgiLCJuYmYiOjE3MjAwMTY3OTMsInRzIjoxNzIwMDE2NzkzMTQxMTgzfQ.VZ0fAEyfagVRRNXwnL9mYssq6CVlMUGXve4zZfaxp4s&sid=3f2227a7-3948-11ef-8d95-7360f1e2d8e1');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	53880	217.70.152.246	80	4536	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:26:34.255712986 CEST	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: childrenbicycle.net
Jul 3, 2024 16:26:34.914418936 CEST	189	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Wed, 03 Jul 2024 14:26:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close Location: http://www.dinobikes.com/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	53881	52.86.6.113	80	4536	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:26:42.496309996 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: englishbridge.net
Jul 3, 2024 16:26:42.972558022 CEST	175	IN	HTTP/1.1 302 Found content-length: 0 date: Wed, 03 Jul 2024 14:26:42 GMT location: https://www.hugedomains.com/domain_profile.cfm?d=englishbridge.net connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	53882	15.197.192.55	80	4536	C:\zqzhokrkxswikv\nlsxqvtcr.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:26:49.164278030 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: becausewagon.net
Jul 3, 2024 16:26:49.620973110 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 03 Jul 2024 14:26:49 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Target ID:	0
Start time:	10:25:00
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\7sAylAXBOb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7sAylAXBOb.exe"
Imagebase:	0x630000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:25:00
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe
Wow64 process (32bit):	true
Commandline:	"C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe"
Imagebase:	0xe20000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:25:01
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\nlsxqvtcr.exe
Wow64 process (32bit):	true
Commandline:	C:\zqzhokrkxswikv\nlsxqvtcr.exe
Imagebase:	0x760000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:25:03
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\gyyuuofs.exe
Wow64 process (32bit):	true
Commandline:	lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Imagebase:	0xe10000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:25:04
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\nlsxqvtcr.exe
Wow64 process (32bit):	true
Commandline:	"C:\zqzhokrkxswikv\nlsxqvtcr.exe"
Imagebase:	0x760000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:25:47
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:26:24
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\nlsxqvtcr.exe
Wow64 process (32bit):	true
Commandline:	"c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Imagebase:	0x760000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:26:25
Start date:	03/07/2024
Path:	C:\zqzhokrkxswikv\gyyuuofs.exe
Wow64 process (32bit):	true
Commandline:	lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Imagebase:	0xfd0000
File size:	359'424 bytes
MD5 hash:	85179AC6AEC3B32A40B06F35CFC6594B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	12

Executed Functions

Function 00631338 Relevance: 314.5, APIs: 142, Strings: 33, Instructions: 8244COMMON

Download Yara Rule

Strings

jhk9, xrefs: 006331D8
h!-, xrefs: 00633F62
/\, xrefs: 006388DB
j4h:&, xrefs: 00631AEE
x],N, xrefs: 0063164B, 00631653, 00631659, 0063427C, 00637DDC, 006399FC
h ., xrefs: 00633E9C
xp, xrefs: 00631C4F, 00637496, 0063753B
h<;, xrefs: 00631898
h!;, xrefs: 00636B47
h:, xrefs: 006329E2
h-, xrefs: 006326FA
hV9, xrefs: 0063405A
~>$@, xrefs: 00636D4C
j3hp&, xrefs: 00631C5A
@C, xrefs: 00631A3B, 00637DBD, 006380D3, 00638101, 00638B31, 00639219, 006393B7, 00639451
hd-, xrefs: 00634ACD
h=-, xrefs: 00633259
ht3, xrefs: 00636AA1
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h#, xrefs: 00635540
h_., xrefs: 00636948
hp., xrefs: 00632876
h<;, xrefs: 006317EE
h, xrefs: 00635E65
h69, xrefs: 00636A07
hw9, xrefs: 00633908
h%, xrefs: 0063200F
h'&, xrefs: 00634EC5
wUCg<d@i, xrefs: 00631CCD, 00633C44, 00633C7C, 0063607B, 00636092, 00638C39
C:\Users\user, xrefs: 00637241
h#, xrefs: 006324F1
h/-, xrefs: 00631DFC

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: HeapProcess$AllocateExit
String ID: /\$@C$C:\Users\user$h .$h!-$h!;$h'&$h/-$h69$h<$h<;$h<;$h=-$hV9$h_.$hd-$hp.$ht3$hw9$hx-$h$h#$h#$h%$h-$h:$jhk9$j3hp&$j4h:&$wUCg<d@i$x],N$xp$~>$@
API String ID: 4058615838-3475922953
Opcode ID: 7b0c04141b2b0467cd0e3b2f4e3046cf7ac56ab2c64cda04f06a25288b72dd84
Instruction ID: 946a8c32112a08857bf0146b5294dcad3bb47c7a7b644e18cce79c93d2e1cc17
Opcode Fuzzy Hash: 7b0c04141b2b0467cd0e3b2f4e3046cf7ac56ab2c64cda04f06a25288b72dd84
Instruction Fuzzy Hash: 6A049DB0900605EBD70CDFA0FD486A97BB3FF88310F21A859D58D622B5EB315AE1DB45

Function 006582D0 Relevance: 31.3, APIs: 12, Strings: 5, Instructions: 1565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0067DEC0), ref: 00658454

Part of subcall function 0064AE00: GetProcAddress.KERNEL32(76F70000,00000000), ref: 0064AEA4
Part of subcall function 0064AE00: GetCurrentProcess.KERNEL32(00000000), ref: 0064AF43

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00658693
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 006589D8
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00658962

Part of subcall function 0064B270: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0064B303

CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00658ACC
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00658BD4

Strings

C:\Users\user, xrefs: 00658DFF, 00658E9D
G8p=, xrefs: 006596FC
xp, xrefs: 00658628, 00658A72, 00658FBD
\, xrefs: 00659511
wUCg<d@i, xrefs: 00658D06

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Directory$Create$AddressCurrentDeleteFileProcProcessRemoveVersionWindows
String ID: C:\Users\user$G8p=$\$wUCg<d@i$xp
API String ID: 3691313006-4158281365
Opcode ID: b4925d62d80685285c0d04aabb12b61539e38344a0a3e44a775a12d9d8d80e6d
Instruction ID: 613bf292a2fd03e5d3db3410e5279bd5245c2db8500a7e8096183c27409e5f1c
Opcode Fuzzy Hash: b4925d62d80685285c0d04aabb12b61539e38344a0a3e44a775a12d9d8d80e6d
Instruction Fuzzy Hash: 9CE20370900605DBCB0C9F60FD482A97BB3FF99321F11A899D98D632B5EB314AE5CB54

Function 00655250 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 350
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00655403

Strings

<d@i, xrefs: 006553F6

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Sleep
String ID: <d@i
API String ID: 3472027048-275803392
Opcode ID: dc105da6d85055672ae8493cd55207c82ff1cb385791006f9aeed8bacd20558a
Instruction ID: 79146bcbe52114403bfae3cdddda1ef3d7ba4a011173868c80bbf3954ce35dfb
Opcode Fuzzy Hash: dc105da6d85055672ae8493cd55207c82ff1cb385791006f9aeed8bacd20558a
Instruction Fuzzy Hash: 5DE1DD70904614DBCB0C9F60FD981B97BB3FF85321F60A959D88DA32A4EB354AE5DB40

Function 006407D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 246
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00640946
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00640A02
FreeSid.ADVAPI32(?), ref: 00640AC7

Strings

x],N, xrefs: 00640978

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: x],N
API String ID: 3429775523-1140780469
Opcode ID: c6b0928250ed0da79eb21d4ce33dbff202537939cfa7d7f55f198085fbc5b4b3
Instruction ID: 96a6a1c9fc56c1bdcfe1954f9dd4c56566c3165c2c751cdca3c2dbf8195b24c5
Opcode Fuzzy Hash: c6b0928250ed0da79eb21d4ce33dbff202537939cfa7d7f55f198085fbc5b4b3
Instruction Fuzzy Hash: 43A1DDB4D00619EBCB0C9FA4FD881A87BB3FF99311F61A849C489A2368E73145E1CF55

Function 00667D20 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,CE88ED0C,?,0066811A,00000000,00000000,00000000,?), ref: 00667D3A
RtlFreeHeap.NTDLL(00000000,?,0066811A,00000000,00000000,00000000,?), ref: 00667D41

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6034a779aa1486d5c47e0503680faf33f452efdabbf8795cf76a12291bafca83
Instruction ID: 7b54120c7623fbb87b55f8d8fb2b4971e3ca195ffabdcf4c79945362d8aac3dc
Opcode Fuzzy Hash: 6034a779aa1486d5c47e0503680faf33f452efdabbf8795cf76a12291bafca83
Instruction Fuzzy Hash: BDF05870408604EBC70C8FA4FE486653BBBFF44301F5169A4E98E922A8C63124E0CF51

Function 006339F0 Relevance: 173.8, APIs: 78, Strings: 19, Instructions: 4014libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00633AB1
GetProcAddress.KERNEL32(76F70000,?), ref: 00633B36
GetProcAddress.KERNEL32(76F70000,?), ref: 00633C18
GetProcAddress.KERNEL32(76F70000,?), ref: 00633CE3
GetProcAddress.KERNEL32(76F70000,?), ref: 00633D75
GetProcAddress.KERNEL32(76F70000,?), ref: 00633E87
GetProcAddress.KERNEL32(76F70000,?), ref: 00633F4D

Strings

h!-, xrefs: 00633F62
h, xrefs: 00635E65
x],N, xrefs: 0063427C, 00637DDC
h69, xrefs: 00636A07
h ., xrefs: 00633E9C
xp, xrefs: 00637496, 0063753B
h'&, xrefs: 00634EC5
h!;, xrefs: 00636B47
wUCg<d@i, xrefs: 00633C44, 00633C7C, 0063607B, 00636092
hV9, xrefs: 0063405A
~>$@, xrefs: 00636D4C
@C, xrefs: 00637DBD
hd-, xrefs: 00634ACD
C:\Users\user, xrefs: 00637241
ht3, xrefs: 00636AA1
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h#, xrefs: 00635540
h_., xrefs: 00636948

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AddressProc
String ID: @C$C:\Users\user$h .$h!-$h!;$h'&$h69$h<$hV9$h_.$hd-$ht3$hx-$h$h#$wUCg<d@i$x],N$xp$~>$@
API String ID: 190572456-2490431792
Opcode ID: 159b48b6b49c3bb29c83e401d91b74bfdfa8071613e9a993d080f4f0a89ebf63
Instruction ID: 5dcf2c27d27aef1ec75f12ca52dcc341c48fe4663af73e8f3e1b1e5d04f15675
Opcode Fuzzy Hash: 159b48b6b49c3bb29c83e401d91b74bfdfa8071613e9a993d080f4f0a89ebf63
Instruction Fuzzy Hash: 40839CB0900605EBD70CDFA0FD486A97BB3FF88310F21A859D58D622B5EB315AE1DB45

Function 00634D76 Relevance: 123.6, APIs: 54, Strings: 15, Instructions: 2872libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00634E2C
GetProcAddress.KERNEL32(76F70000,?), ref: 00634F26
LoadLibraryA.KERNELBASE(?), ref: 00635010
LoadLibraryA.KERNEL32(00000000), ref: 006350DD

Strings

h, xrefs: 00635E65
x],N, xrefs: 00637DDC
h69, xrefs: 00636A07
xp, xrefs: 00637496, 0063753B
h'&, xrefs: 00634EC5
h!;, xrefs: 00636B47
wUCg<d@i, xrefs: 0063607B, 00636092
~>$@, xrefs: 00636D4C
@C, xrefs: 00637DBD
C:\Users\user, xrefs: 00637241
ht3, xrefs: 00636AA1
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h#, xrefs: 00635540
h_., xrefs: 00636948

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: @C$C:\Users\user$h!;$h'&$h69$h<$h_.$ht3$hx-$h$h#$wUCg<d@i$x],N$xp$~>$@
API String ID: 2574300362-419525512
Opcode ID: de723e1f9d334d5abde86dedcc7324f5e650d48833c09923a81a4765a2f9e242
Instruction ID: 638946e21dba7cb4e94697680bf0739ac8f8dd6d8aa167912d4417a7e46b4757
Opcode Fuzzy Hash: de723e1f9d334d5abde86dedcc7324f5e650d48833c09923a81a4765a2f9e242
Instruction Fuzzy Hash: BD53ACB0900605EBD70CDFA0FD486A97BB3FF88310F21A859D58D622B5EB315AE1DB45

Function 00634EA1 Relevance: 121.8, APIs: 53, Strings: 15, Instructions: 2823libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00634F26
LoadLibraryA.KERNELBASE(?), ref: 00635010
LoadLibraryA.KERNEL32(00000000), ref: 006350DD

Strings

h, xrefs: 00635E65
x],N, xrefs: 00637DDC
h69, xrefs: 00636A07
xp, xrefs: 00637496, 0063753B
h'&, xrefs: 00634EC5
h!;, xrefs: 00636B47
wUCg<d@i, xrefs: 0063607B, 00636092
~>$@, xrefs: 00636D4C
@C, xrefs: 00637DBD
C:\Users\user, xrefs: 00637241
ht3, xrefs: 00636AA1
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h#, xrefs: 00635540
h_., xrefs: 00636948

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: @C$C:\Users\user$h!;$h'&$h69$h<$h_.$ht3$hx-$h$h#$wUCg<d@i$x],N$xp$~>$@
API String ID: 1469910268-419525512
Opcode ID: c58ca3697522fcf0ce47c45e3a1da10b719abfafc90d305067489dac13e7e78a
Instruction ID: 1d8cdd1f22cb17c0cbaeb7c07555b1b15c16dada3a6a31187c10df2cc6528204
Opcode Fuzzy Hash: c58ca3697522fcf0ce47c45e3a1da10b719abfafc90d305067489dac13e7e78a
Instruction Fuzzy Hash: E143ADB0900605EBD70CDFA0FD486A97BB3FF88310F21A859D58D622B5EB315AE1DB45

Function 0063570C Relevance: 100.3, APIs: 43, Strings: 13, Instructions: 2328libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(761D0000,?), ref: 00635741
GetProcAddress.KERNEL32(761D0000,?), ref: 006357E9
GetProcAddress.KERNEL32(761D0000,?), ref: 00635857
GetProcAddress.KERNEL32(761D0000,?), ref: 00635927
GetProcAddress.KERNEL32(761D0000,?), ref: 006359A8
GetProcAddress.KERNEL32(761D0000,?), ref: 00635A3B
GetProcAddress.KERNEL32(761D0000,?), ref: 00635B53
GetProcAddress.KERNEL32(761D0000,?), ref: 00635CB0
GetProcAddress.KERNEL32(761D0000,?), ref: 00635D0F

Strings

h, xrefs: 00635E65
x],N, xrefs: 00637DDC
h69, xrefs: 00636A07
xp, xrefs: 00637496, 0063753B
h!;, xrefs: 00636B47
wUCg<d@i, xrefs: 0063607B, 00636092
~>$@, xrefs: 00636D4C
@C, xrefs: 00637DBD
C:\Users\user, xrefs: 00637241
ht3, xrefs: 00636AA1
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h_., xrefs: 00636948

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AddressProc
String ID: @C$C:\Users\user$h!;$h69$h<$h_.$ht3$hx-$h$wUCg<d@i$x],N$xp$~>$@
API String ID: 190572456-3841760325
Opcode ID: 0c702acf7cd77d7a8e286b9168cedce17a1cc3d229ad73f409194cd1e67cd24a
Instruction ID: 42d5052bb1353cbdadf8097782c7ba76c10202b858830350ec21f7d248af8839
Opcode Fuzzy Hash: 0c702acf7cd77d7a8e286b9168cedce17a1cc3d229ad73f409194cd1e67cd24a
Instruction Fuzzy Hash: 5923BDB0900605EBD70CDFA0FD486A97BB3FF88310F21A959D58C622B5EB315AE1DB45

Function 00635F99 Relevance: 77.1, APIs: 31, Strings: 12, Instructions: 1867libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76DA0000,?), ref: 0063606F
GetProcAddress.KERNEL32(76DA0000,?), ref: 006361B9
GetProcAddress.KERNEL32(76DA0000,?), ref: 0063623A
GetProcAddress.KERNEL32(76DA0000,?), ref: 006362DF
GetProcAddress.KERNEL32(76DA0000,?), ref: 006363D1
GetProcAddress.KERNEL32(76DA0000,?), ref: 0063647D
GetProcAddress.KERNEL32(76DA0000,?), ref: 006364D6
GetProcAddress.KERNEL32(76DA0000,?), ref: 0063657E
GetProcAddress.KERNEL32(76DA0000,?), ref: 00636697
GetProcAddress.KERNEL32(76DA0000,?), ref: 00636731

Strings

~>$@, xrefs: 00636D4C
@C, xrefs: 00637DBD
C:\Users\user, xrefs: 00637241
x],N, xrefs: 00637DDC
h69, xrefs: 00636A07
ht3, xrefs: 00636AA1
xp, xrefs: 00637496, 0063753B
hx-, xrefs: 006361CC
h<, xrefs: 00636FF7
h!;, xrefs: 00636B47
wUCg<d@i, xrefs: 0063607B, 00636092
h_., xrefs: 00636948

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AddressProc
String ID: @C$C:\Users\user$h!;$h69$h<$h_.$ht3$hx-$wUCg<d@i$x],N$xp$~>$@
API String ID: 190572456-2233720177
Opcode ID: 151c286c80b8828ef2e43b87aab1c3fd45402c1dad6af6d9a7e24e863aa1e798
Instruction ID: 6903357fc9dfd4fe0066c007ee0278bffeb5a2f2cff507bceecfbe33195a74f5
Opcode Fuzzy Hash: 151c286c80b8828ef2e43b87aab1c3fd45402c1dad6af6d9a7e24e863aa1e798
Instruction Fuzzy Hash: 8B03BEB0900605EBD70CDFA0FD486A97BB3FF88310F21A959D58D622B5EB314AE1DB45

Function 00658AE8 Relevance: 21.9, APIs: 7, Strings: 5, Instructions: 888
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00658BD4

Strings

C:\Users\user, xrefs: 00658DFF
G8p=, xrefs: 006596FC
xp, xrefs: 00658FBD
\, xrefs: 00659511
wUCg<d@i, xrefs: 00658D06

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CreateDirectory
String ID: C:\Users\user$G8p=$\$wUCg<d@i$xp
API String ID: 4241100979-4158281365
Opcode ID: 56957ad6914461711fb5f4189c56f4a7253a634af8bc2ae3236c4135db566da4
Instruction ID: b1757a3ec3ec0aa0f36a0b036d574e434c78c84b051058b5d36c57ae81178c97
Opcode Fuzzy Hash: 56957ad6914461711fb5f4189c56f4a7253a634af8bc2ae3236c4135db566da4
Instruction Fuzzy Hash: 95820370900609DBCB0C9F60FD482A93BB3FF95321F116999D98D632B5EB310AE9CB55

Function 00659039 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 631
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00659088

Strings

G8p=, xrefs: 006596FC
\, xrefs: 00659511

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CreateDirectory
String ID: G8p=$\
API String ID: 4241100979-3866575382
Opcode ID: c6399ed9e77fe882cfc1b2f5c9020c81f5d67ae90e2841359cc06c40acdc9861
Instruction ID: 1b2ba24e6040141ee8c7392ec9daa92cd3822996260995769f52c0a23a42aa8f
Opcode Fuzzy Hash: c6399ed9e77fe882cfc1b2f5c9020c81f5d67ae90e2841359cc06c40acdc9861
Instruction Fuzzy Hash: 76421570900605DBDB0C9F60FD482A83BB3FF85321F117999D98D622B5EB314AEACB55

Function 0064BFC0 Relevance: 10.9, APIs: 7, Instructions: 426
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 0064C1B7
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,000000FF), ref: 0064C203
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,000000FF), ref: 0064C285
GetTickCount.KERNEL32 ref: 0064C2EC
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0064C564
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0064C5CF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0064C5E2

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite
String ID:
API String ID: 688250028-0
Opcode ID: 3427c84f3e6a5b96acd57c8030ef4deffb49ec96159bdf19a7bcefa215cd8d9a
Instruction ID: ff8c379c24bc72a1f778811f5bbaa7950e7f5521da5a4762e47af80e910e2e5b
Opcode Fuzzy Hash: 3427c84f3e6a5b96acd57c8030ef4deffb49ec96159bdf19a7bcefa215cd8d9a
Instruction Fuzzy Hash: 4302CF74900604EBC70C9F20FD496A93BB3FF89720F51A959D98DA33A4EB3149E5CB45

Function 00657D00 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 350
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0065819D
CloseHandle.KERNEL32(?), ref: 0065826F
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00657EE2

Part of subcall function 00652EA0: ReleaseMutex.KERNEL32(?,00000134,?,0065C085,00000134,?,?,0063A0EC), ref: 00652EE3

Strings

<d@i, xrefs: 00657EAA
x],N, xrefs: 00657E5A

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: File$CloseCreateHandleMutexReleaseWrite
String ID: <d@i$x],N
API String ID: 1810904954-1202067887
Opcode ID: 96d392df204f755bf6c11f80caf77386f091ee44c2e3b6a9b9c95837a2127b07
Instruction ID: 738d1813e107daeb7acb4fe499b5fdb8454052722f7e0ffe11291cbbb8c2a71d
Opcode Fuzzy Hash: 96d392df204f755bf6c11f80caf77386f091ee44c2e3b6a9b9c95837a2127b07
Instruction Fuzzy Hash: C9E1AB71900605DBC70C9F60FD842A97BB3FF84321F61B959D98CA22B5EB3095E6CB85

Function 00669DB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00669F00
CloseHandle.KERNEL32(00000000), ref: 00669F50
CloseHandle.KERNEL32(?), ref: 00669F96

Strings

D, xrefs: 00669EA5

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: fe3fb41da60c2a7074f26b398fa506308ee0851d066b9b2aafb6f94c3001524b
Instruction ID: 0307d209d27413526739ea65e43a109fbe2e66c274c4a76caa00a66a065faeb1
Opcode Fuzzy Hash: fe3fb41da60c2a7074f26b398fa506308ee0851d066b9b2aafb6f94c3001524b
Instruction Fuzzy Hash: 8B717B70900208EBDB0CDF60EE487987BB7FF88310F21A955D64D662B4DB3155E2DB44

Function 0065E950 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0065E9C8

Strings

<d@i, xrefs: 0065E980

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: ExitProcess
String ID: <d@i
API String ID: 621844428-275803392
Opcode ID: 1c77afed6a554bbd9e6e37ca36eb76f02a45637a50bcafe40870cc94de21a516
Instruction ID: 6b12b45ddf15c15889f9f8066dbdc9167ce109ff6c04b584112d0a2faba99651
Opcode Fuzzy Hash: 1c77afed6a554bbd9e6e37ca36eb76f02a45637a50bcafe40870cc94de21a516
Instruction Fuzzy Hash: 42F0E274804A09E7D708AF30FC884587B73FF89760BA56991C48A22279DF7056E6C74A

Function 00660BF0 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00653A48,?,?,0066B682,00000000), ref: 00660CA6
RtlAllocateHeap.NTDLL(00000000,?,00653A48,?,?,0066B682,00000000), ref: 00660CAD

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: dc9cc1464b52923043f44fa3a4df3029a7308aba95fab371dd7792b8650dba43
Instruction ID: 118a7258ad2867374b797c1812e9f9f12fab919e5f02724389da76fa26e03187
Opcode Fuzzy Hash: dc9cc1464b52923043f44fa3a4df3029a7308aba95fab371dd7792b8650dba43
Instruction Fuzzy Hash: AD11A170400A05DBD70C8F60FE582A13B77FF86320F11AA5AE99E162B8D73444E2CB06

Function 00642640 Relevance: 3.0, APIs: 2, Instructions: 27
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,00000000), ref: 00642676
CharLowerBuffA.USER32(?,00000000), ref: 0064267E

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 403487c2345cf2e5900b333b3ad77bba8a793cdd68beb37f7e220600909b3214
Instruction ID: 626f6959f42e99b33d6088f3f7b09d8f82fbbca28213cebb90df0e402579e3a0
Opcode Fuzzy Hash: 403487c2345cf2e5900b333b3ad77bba8a793cdd68beb37f7e220600909b3214
Instruction Fuzzy Hash: D9F01C39515A19D7D7181FA0FC0C5A43B36FF85320F153491ED8C22234DB3544E5C7A5

Function 006599D9 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9cfa7fcdc9ad26b46ae66cb7c95ab2b3f8d2660141dcb130b23feb7bcf7765
Instruction ID: e9c662de322420cb5183b77b8da65bbf8512bbc188a5e99ba852a24da7c08344
Opcode Fuzzy Hash: 8b9cfa7fcdc9ad26b46ae66cb7c95ab2b3f8d2660141dcb130b23feb7bcf7765
Instruction Fuzzy Hash: BC512574900604DBCB0C9F20FD582A87BB3FF89321F116999CD8D622B5E7314AD6CB54

Function 006600C3 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00660103

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0b15f8cda31ca6aedc363c1a4e8e571bc0862f773599269bf3a7e883b20f8c8d
Instruction ID: 709a83ef51d3f0c7d91131c75e0f42c2415d64ed169af12ffffd368fab4c265e
Opcode Fuzzy Hash: 0b15f8cda31ca6aedc363c1a4e8e571bc0862f773599269bf3a7e883b20f8c8d
Instruction Fuzzy Hash: D8D02D30411515DBC3185F36FC485147BB3FFE6351B467D58D08D621B8DA3804E6CB5A

Non-executed Functions

Function 00640D90 Relevance: 26.0, APIs: 11, Strings: 3, Instructions: 1468networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00641A83

Strings

/, xrefs: 006410DA
wUCg<d@i, xrefs: 00640EE4
O:k;, xrefs: 006417B1

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: socket
String ID: /$O:k;$wUCg<d@i
API String ID: 98920635-3285981146
Opcode ID: fefcd158dd3b22a6d22a75d5b069682e2ca15222f59e2cab3a16d022bc381a37
Instruction ID: be80553fb9a3c597ebf9426652b1981b572fda42999d6c8aeb502c6e2b58e6ac
Opcode Fuzzy Hash: fefcd158dd3b22a6d22a75d5b069682e2ca15222f59e2cab3a16d022bc381a37
Instruction Fuzzy Hash: E3D2F370901605DBC70CAF60FD882A87BB3FF85310F61B959D98DA22B4EB304AE5CB55

Function 00669A20 Relevance: 13.7, APIs: 9, Instructions: 201serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00669A98
CreateServiceA.ADVAPI32(00000000,00EC0508,00EC0508,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00669B09
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00669B6F
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00669B9D
CloseServiceHandle.ADVAPI32(00000000), ref: 00669BB9
OpenServiceA.ADVAPI32(00000000,00EC0508,00000010), ref: 00669BF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00669C5A
CloseServiceHandle.ADVAPI32(00000000), ref: 00669C7F
CloseServiceHandle.ADVAPI32(00000000), ref: 00669D04

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 6e4e7d073c276d8dc5da95eb4888d7967ca56f7dd87fab8c77190ac61000564e
Instruction ID: 6164b617885eeba665a41f805ef90d64a7acb0738b874161a771c3ee7acc3de1
Opcode Fuzzy Hash: 6e4e7d073c276d8dc5da95eb4888d7967ca56f7dd87fab8c77190ac61000564e
Instruction Fuzzy Hash: 41817634A00604EBD70C8F24FC886A87BB7FF89710F11794AE94DA62B8D73059E2CB55

Function 0063C260 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 543serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0063C404
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 0063C488
GetLastError.KERNEL32 ref: 0063C49C
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 0063C5B2
CloseServiceHandle.ADVAPI32(00000000), ref: 0063C957

Strings

w*[d, xrefs: 0063C3CB

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID: w*[d
API String ID: 1579346331-4058424785
Opcode ID: 1462940d92c8ca2b8dd55945a471930295fdf6e1afed0ddf3b1fb8ae06cf665e
Instruction ID: 63983dd1bb3b40bdecfe6f37daa3b4a60d12ad470a6c63d8b937c713dbbe632d
Opcode Fuzzy Hash: 1462940d92c8ca2b8dd55945a471930295fdf6e1afed0ddf3b1fb8ae06cf665e
Instruction Fuzzy Hash: C532CDB0900605DBD70C9F60FD882A97BB3FF89320F21A956D94D72278E73156E2CB95

Function 006625D5 Relevance: 7.8, APIs: 5, Instructions: 268processCOMMON

Download Yara Rule

APIs

Part of subcall function 00654F50: lstrlenA.KERNEL32(?,?,?,0063A21C,?), ref: 00654FBB

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0066289C
Module32First.KERNEL32(00000000,?), ref: 006628DA
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00662AD1
Process32Next.KERNEL32(?,00000128), ref: 00662B26
CloseHandle.KERNEL32(00000000,?,00000000,00000001), ref: 00662BD1

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
String ID:
API String ID: 2493088380-0
Opcode ID: acd552b258258b28940d6aad0d12be14dfb42d77a29dc775c30bc4a4237ee493
Instruction ID: 5dede8c7ff42c031cde754ff8b29b471a6d5cb85809b8630cac7ec83b073b2e6
Opcode Fuzzy Hash: acd552b258258b28940d6aad0d12be14dfb42d77a29dc775c30bc4a4237ee493
Instruction Fuzzy Hash: 68C1CB7090060ADBCB0C9F60FD582E97BB7FF85311F21A999D98D62274EB3046E2CB45

Function 00667635 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000001,?,76F8F550,?,?,?,?,?,?,?,?,?,?,?,006371AA), ref: 00667701

Strings

x],N, xrefs: 006676C7

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: SystemTime
String ID: x],N
API String ID: 2656138-1140780469
Opcode ID: 9a1df55135dde44e88ab077994947a08269faa23cd706b5308f7de894cf6b41d
Instruction ID: 16209138078213418fe67c0c7fa60b6996d9d4e23ec25341444b0c600759248a
Opcode Fuzzy Hash: 9a1df55135dde44e88ab077994947a08269faa23cd706b5308f7de894cf6b41d
Instruction Fuzzy Hash: 09A1C470D05605EBC70CDF60FE541A87BB3FF85320B21A95AD48DA22B9E7314AE1DB45

Function 00650EE7 Relevance: 2.3, Strings: 1, Instructions: 1081COMMON

Download Yara Rule

Strings

<d@i, xrefs: 006514AA

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID:
String ID: <d@i
API String ID: 0-275803392
Opcode ID: 60cc566d58fb97e2918cd22056dae0dfec41941778022fe2870d08ae06d5b241
Instruction ID: 02a95b565d16be8b2043582ca85a94378fc3e13f1af4b8fa208d2ae3496573b8
Opcode Fuzzy Hash: 60cc566d58fb97e2918cd22056dae0dfec41941778022fe2870d08ae06d5b241
Instruction Fuzzy Hash: 5FB28F70901609EBCB08DF21FD881983FB2FF89351B62AC55E88CA6275E73196E5CF45

Function 00650F01 Relevance: 2.2, Strings: 1, Instructions: 995COMMON

Download Yara Rule

Strings

<d@i, xrefs: 006514AA

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID:
String ID: <d@i
API String ID: 0-275803392
Opcode ID: 235e127ba15380e066e991f7055fd22b8c96308f9f4fa9ca9dbda633e6834369
Instruction ID: 40c37ffa3b314596658a666357ffea9a9ad80f27b5131b96103b3f1881b3cefa
Opcode Fuzzy Hash: 235e127ba15380e066e991f7055fd22b8c96308f9f4fa9ca9dbda633e6834369
Instruction Fuzzy Hash: BBA28E70900609EBCB0CDF25FD881983BB2FF89351B62AC55D88CA6279E73196E5CF45

Function 0064BB60 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0064BBAD

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: ada3a4b8dcd3117847f43af5e24dddb63247f9b0c260a93248d5f36ae3c47fe2
Instruction ID: abdcb06a9a048e6ba62487cbcd6b95faa2af03cbb42e98145ad6e9dd72420a94
Opcode Fuzzy Hash: ada3a4b8dcd3117847f43af5e24dddb63247f9b0c260a93248d5f36ae3c47fe2
Instruction Fuzzy Hash: C3F0F9B4D0160ADBC708DF64FD48459BBB2FF44304B62A996C95D62221EB3286E6CB61

Function 006497C0 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8923d42bbcc73ca4e1fa6ad8bb6f30f15364a8cf90e3d0ab2cd5e6eebfb9af
Instruction ID: 0fcd4b7557f53416c25708aced1a325b00020e0134cdf3e14aa48cdb3e941b57
Opcode Fuzzy Hash: 5f8923d42bbcc73ca4e1fa6ad8bb6f30f15364a8cf90e3d0ab2cd5e6eebfb9af
Instruction Fuzzy Hash: B532F671901215DBC70CDF64FD881A87BB3FF84360B21A959D88DA32B8E73159E1DB94

Function 00670590 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 391processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00670646
Process32First.KERNEL32(00000000,?), ref: 0067073D

Strings

<d@i, xrefs: 0067092F

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: <d@i
API String ID: 2353314856-275803392
Opcode ID: bc1d8ab67c8666aca198fc43d284e7b4106bdf2a899f7749d5cc580e737131b9
Instruction ID: d355b0df419c80d5221137ca1ff8cf8dcfff048cadad0ad1eb063894ae6380cb
Opcode Fuzzy Hash: bc1d8ab67c8666aca198fc43d284e7b4106bdf2a899f7749d5cc580e737131b9
Instruction Fuzzy Hash: 8002ADB4905209EBD70CDF60FE581A87BB3FF85311B21A899C88C622B4E7315AE1DF55

Function 00663450 Relevance: 12.4, APIs: 8, Instructions: 359registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00EC0508,Function_0001B530), ref: 0066366D
SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 006636FC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00663729
SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 006637D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00663860
SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 0066394E
CloseHandle.KERNEL32(00000000), ref: 00663974
SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 00663A4F

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: a44f08e113b724c6782e6d1de1e816a695fbe49280109eaf9ce6e194d7294d9a
Instruction ID: 4eddbb9c426c99fd64972ed69de6428f99076e16388b7af9a05af4a05a79a67e
Opcode Fuzzy Hash: a44f08e113b724c6782e6d1de1e816a695fbe49280109eaf9ce6e194d7294d9a
Instruction Fuzzy Hash: 0CF17C74901605DBC70C9F20FE881687BB3FF98321B61BD5AD58D622B8E7345AE6DB04

Function 00657640 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?), ref: 00657735
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00657787
CloseHandle.KERNEL32(00000000), ref: 006577EB
WaitForSingleObject.KERNEL32(9E599C50,000000FF), ref: 00657827
CloseHandle.KERNEL32(00000000), ref: 00657842

Strings

x],N, xrefs: 00657839

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID: x],N
API String ID: 1404307249-1140780469
Opcode ID: 749bf392b393506fe9aa49301d2a74122900746a5fb64aaf896e3ea131b2868a
Instruction ID: 1e8d1773124eb9c924486999b12a1f8ea6d0c0ee2e539f899522458f8582e5bd
Opcode Fuzzy Hash: 749bf392b393506fe9aa49301d2a74122900746a5fb64aaf896e3ea131b2868a
Instruction Fuzzy Hash: 63515874600609EBC70CAF10FD486A43BB3FF89320F21AD49E99D662B5DB3095E1CB45

Function 006625D3 Relevance: 7.8, APIs: 5, Instructions: 267processCOMMON

Download Yara Rule

APIs

Part of subcall function 00654F50: lstrlenA.KERNEL32(?,?,?,0063A21C,?), ref: 00654FBB

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0066289C
Module32First.KERNEL32(00000000,?), ref: 006628DA
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00662AD1
Process32Next.KERNEL32(?,00000128), ref: 00662B26
CloseHandle.KERNEL32(00000000,?,00000000,00000001), ref: 00662BD1

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
String ID:
API String ID: 2493088380-0
Opcode ID: 199eeb1c7ffd90c668881ea599ce66d4cd06d0ea0a433fcb5f3ffcd909794fc8
Instruction ID: 3cfefcdfed3eba525aca439a0f83a9dc08e222eed23c552c9d9222f0046e3fc9
Opcode Fuzzy Hash: 199eeb1c7ffd90c668881ea599ce66d4cd06d0ea0a433fcb5f3ffcd909794fc8
Instruction Fuzzy Hash: BEB1BB7090060ADBCB0C9F60FD582E97BB7FF85311F21A999D98D62274EB3146E2CB45

Function 0064BBE0 Relevance: 7.7, APIs: 5, Instructions: 238fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0064BC8D

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0278dd2f8becaf0d553c14c64b8b476a53704ffc5b0aa2a1e2a11c038dc16fd
Instruction ID: e919eda3c4d82ee39e3c0b5ac0f691eb8d7509e958d812e0f5b0484293f569d4
Opcode Fuzzy Hash: d0278dd2f8becaf0d553c14c64b8b476a53704ffc5b0aa2a1e2a11c038dc16fd
Instruction Fuzzy Hash: 6FA1E370A01204DFC70CDF64FD846A97BB3FF85310B51A99AE94DA3264EB305AE1DB50

Function 0064B530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 0064B67D
SetEvent.KERNEL32(00000000), ref: 0064B693
SetServiceStatus.ADVAPI32(00000000,0067D7CC), ref: 0064B919

Strings

WyCh, xrefs: 0064B8DA

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: WyCh
API String ID: 3225596143-3028504180
Opcode ID: 553d9f1d3f4d60318a92417dbdc24400a2bb1db38252fb73174f74355cf43992
Instruction ID: c75e2b20ea9343222e11a6c72e790254f32b86399efa291a61efac9193bfccd3
Opcode Fuzzy Hash: 553d9f1d3f4d60318a92417dbdc24400a2bb1db38252fb73174f74355cf43992
Instruction Fuzzy Hash: E4A1ACB0500605DBC70C9F20FD881A43BB7FF9A361B61BD56D88D662A8D73581E2CF86

Function 0063B7C0 Relevance: 6.3, APIs: 4, Instructions: 337processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0063B86B
Process32First.KERNEL32(00000000,?), ref: 0063B982

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 510f830a779539c07984e3dcf114fb35188b3bce72e17b0c1ba493eba602a9f8
Instruction ID: d259c87f3a57597b8b171ddfdaa7c0a5f7c1474bc951d5ea5824ff499db881bb
Opcode Fuzzy Hash: 510f830a779539c07984e3dcf114fb35188b3bce72e17b0c1ba493eba602a9f8
Instruction Fuzzy Hash: 01E1BF74900605DBC70C9F64FE882A87BB3FF95320F21A999C58DA32B8D7354AD2CB44

Function 006453A0 Relevance: 6.3, APIs: 4, Instructions: 309fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00642760: WaitForSingleObject.KERNEL32(?,00004E20,?,?,?,?,0063A0EC), ref: 006427A9

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006454A7
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 006455C9
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00645767
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0064582F

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: CloseFileHandle$CreateObjectReadSingleWait
String ID:
API String ID: 3632524860-0
Opcode ID: 5fd2de2f09eec9d938e7fd2b94ac33a932c414fdfd25bbe873d99ea86cab1871
Instruction ID: cb73c4475a042f27a8122f070030aa3d8858d0650934461e69adeacba56e86c8
Opcode Fuzzy Hash: 5fd2de2f09eec9d938e7fd2b94ac33a932c414fdfd25bbe873d99ea86cab1871
Instruction Fuzzy Hash: 87D1AD75901608EBD70C9F60FE482A837B3FF88711F21A889D54DA22B4EB314AE5CB55

Function 0065BA80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 0065BC23
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 0065BCB7

Strings

W8 2, xrefs: 0065BDB0

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: AddressProc
String ID: W8 2
API String ID: 190572456-11872525
Opcode ID: 0f5de1e2657c2e44e53bcf152a1e6440693b8d106ff3acdbc871c76dce37f6c9
Instruction ID: 0f5f04ef386e39848df6e3e682c56f0b35bbca8154414b73defcba511c400a5f
Opcode Fuzzy Hash: 0f5de1e2657c2e44e53bcf152a1e6440693b8d106ff3acdbc871c76dce37f6c9
Instruction Fuzzy Hash: A7F19070900604EBC70C9F60FC942A87BB3FF95321F61B95AD94DA22B8E73549E5CB45

Function 006535F0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?), ref: 00653622
HeapReAlloc.KERNEL32(00000000), ref: 00653629
GetProcessHeap.KERNEL32(00000000,?,00000000,?), ref: 006536B7
HeapAlloc.KERNEL32(00000000), ref: 006536BE

Memory Dump Source

Source File: 00000000.00000002.1383769350.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1383756192.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383798799.0000000000672000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383814735.000000000067D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1383862861.000000000067E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_7sAylAXBOb.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e25a0f395849cee6b0ca6610ad0bbf6c33518d0fb1d5cd2696a479ccefc919d2
Instruction ID: aab7ba2e05208063f6cc65f59d72738199a842864b594490cc5a2a6ca0fbb91d
Opcode Fuzzy Hash: e25a0f395849cee6b0ca6610ad0bbf6c33518d0fb1d5cd2696a479ccefc919d2
Instruction Fuzzy Hash: 0F21B471900609F7CB086F60FC181A43B36FF48751F51A845FD4D56360EB3185E5CB91

Analysis Process: akk3nwj1mabelfu4.exePID: 5776, Parent PID: 7164COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	1558
Total number of Limit Nodes:	15

Executed Functions

Function 00E32C10 Relevance: 27.5, APIs: 13, Strings: 2, Instructions: 1254
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00E3300B
LoadLibraryA.KERNELBASE(00000000), ref: 00E33073
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E331AD
FreeLibrary.KERNEL32(?), ref: 00E3321D
HeapAlloc.KERNEL32(?,00000000,00000288), ref: 00E332CD
FreeLibrary.KERNEL32(?), ref: 00E33329
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00E33376
HeapFree.KERNEL32(?,00000000,00000000), ref: 00E334CB
HeapAlloc.KERNEL32(?,00000000,00000288), ref: 00E33505
FreeLibrary.KERNEL32(?), ref: 00E335A7
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00E33623
HeapFree.KERNEL32(?,00000000,?), ref: 00E33FB1
FreeLibrary.KERNEL32(?), ref: 00E3403E

Strings

cNn, xrefs: 00E33FF3
N_cU, xrefs: 00E33BE6

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: Free$HeapLibrary$AdaptersAllocInfo$AddressLoadProcProcess
String ID: N_cU$cNn
API String ID: 2633798829-4034984180
Opcode ID: 351f4a6873700e74666d758a70dbf8c4d71b3aebf246d0031b935842e30141e2
Instruction ID: e06b189653df98fabf9169f035a729519444eea9b0d893b07314ad9bddc6d097
Opcode Fuzzy Hash: 351f4a6873700e74666d758a70dbf8c4d71b3aebf246d0031b935842e30141e2
Instruction Fuzzy Hash: 9EC28870F09605CFCB009F63FD582AB7BB1FB99390B918119D880B22B4DBB5486DCB94

Function 00E59A20 Relevance: 13.7, APIs: 9, Instructions: 201
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00E59A98
CreateServiceA.ADVAPI32(00000000,013D0530,013D0530,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E59B09
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00E59B6F
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E59B9D
CloseServiceHandle.ADVAPI32(00000000), ref: 00E59BB9
OpenServiceA.ADVAPI32(00000000,013D0530,00000010), ref: 00E59BF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E59C5A
CloseServiceHandle.ADVAPI32(00000000), ref: 00E59C7F
CloseServiceHandle.ADVAPI32(00000000), ref: 00E59D04

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: c9df1cfbfb7513dd72cf3e4d14adcb7150a724790565afeb2fe7807c47b9ab83
Instruction ID: 7f0284654335f5374482877ec1360e6c11936fd57aacd6daace54eec9c973d27
Opcode Fuzzy Hash: c9df1cfbfb7513dd72cf3e4d14adcb7150a724790565afeb2fe7807c47b9ab83
Instruction Fuzzy Hash: E8813270F09604EFD3009F23FC886AA7BB5FB99791F814146E845B62B4DBF048A9CB45

Function 00E4BA80 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 370
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00E4BC23
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00E4BCB7
CryptGenRandom.ADVAPI32(00000000,00000004,00E2A0EC,?,?,?,00E2A0EC), ref: 00E4BEC9

Strings

W8 2, xrefs: 00E4BDB0

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID: W8 2
API String ID: 646182245-11872525
Opcode ID: 808b74582a6b2a8af6f84913201fdaea11ac1dc4468fd8a496f3828767760ea5
Instruction ID: d86466ccff3b25193f6253232d477e1226f2fa4ef06b29d27c5033b1f11b47cd
Opcode Fuzzy Hash: 808b74582a6b2a8af6f84913201fdaea11ac1dc4468fd8a496f3828767760ea5
Instruction Fuzzy Hash: C6F14A70F09208EFC7009F63FD542AB7BB1FB99391B918159D881B22B4D7F189A9CB45

Function 00E21338 Relevance: 311.0, APIs: 141, Strings: 32, Instructions: 8244COMMON

Download Yara Rule

Strings

~>$@, xrefs: 00E26D4C
h<;, xrefs: 00E21898
hp., xrefs: 00E22876
hd-, xrefs: 00E24ACD
ht3, xrefs: 00E26AA1
j3hp&, xrefs: 00E21C5A
h-, xrefs: 00E226FA
h<, xrefs: 00E26FF7
hV9, xrefs: 00E2405A
C:\Users\user, xrefs: 00E27241
C:\zqzhokrkxswikv\gyyuuofs.exe, xrefs: 00E291FB, 00E2989C, 00E298F2, 00E29926, 00E29D67
hw9, xrefs: 00E23908
h#, xrefs: 00E224F1
h'&, xrefs: 00E24EC5
h=-, xrefs: 00E23259
hx-, xrefs: 00E261CC
h!-, xrefs: 00E23F62
h%, xrefs: 00E2200F
jhk9, xrefs: 00E231D8
h ., xrefs: 00E23E9C
j4h:&, xrefs: 00E21AEE
h69, xrefs: 00E26A07
h#, xrefs: 00E25540
/\, xrefs: 00E288DB
h<;, xrefs: 00E217EE
cNn, xrefs: 00E217C4, 00E217DE, 00E217E4, 00E218A4, 00E218B0, 00E218B6, 00E26A70, 00E298EA
h, xrefs: 00E25E65
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
h:, xrefs: 00E229E2
h/-, xrefs: 00E21DFC
N_cU, xrefs: 00E22A5E, 00E22A6F, 00E22A75, 00E284EA, 00E289E1

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: HeapProcess$AllocateExit
String ID: /\$C:\Users\user$C:\zqzhokrkxswikv\gyyuuofs.exe$N_cU$h .$h!-$h!;$h'&$h/-$h69$h<$h<;$h<;$h=-$hV9$h_.$hd-$hp.$ht3$hw9$hx-$h$h#$h#$h%$h-$h:$jhk9$j3hp&$j4h:&$~>$@$cNn
API String ID: 4058615838-1059478712
Opcode ID: 2a2f739cac24ee3e114fa9edd22b56fbc7e9f9d4e73c4030dfcdceb6ea16faf8
Instruction ID: 58bfa8bc010ceae90e3c15435b9467480a8c262f40818be125bc8483150d001d
Opcode Fuzzy Hash: 2a2f739cac24ee3e114fa9edd22b56fbc7e9f9d4e73c4030dfcdceb6ea16faf8
Instruction Fuzzy Hash: CD0467B0F09609EFC7009F63FE586AB7BB1FB98390B918059D490722B4DBF14969DB41

Function 00E239F0 Relevance: 168.5, APIs: 78, Strings: 16, Instructions: 4014libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00E23AB1
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23B36
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23C18
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23CE3
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23D75
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23E87
GetProcAddress.KERNEL32(76F70000,?), ref: 00E23F4D

Strings

~>$@, xrefs: 00E26D4C
hd-, xrefs: 00E24ACD
ht3, xrefs: 00E26AA1
h ., xrefs: 00E23E9C
h<, xrefs: 00E26FF7
h69, xrefs: 00E26A07
hV9, xrefs: 00E2405A
C:\Users\user, xrefs: 00E27241
h#, xrefs: 00E25540
h, xrefs: 00E25E65
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
cNn, xrefs: 00E26A70
h'&, xrefs: 00E24EC5
hx-, xrefs: 00E261CC
h!-, xrefs: 00E23F62

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h .$h!-$h!;$h'&$h69$h<$hV9$h_.$hd-$ht3$hx-$h$h#$~>$@$cNn
API String ID: 190572456-3279757811
Opcode ID: 3cfe4355e21466f23dc1225bab24ef6f26be2224f2c88ba97290afaabc80eeab
Instruction ID: 305bdd813049d3734cf6615c2989d40ba6b8030be0d46e9bfbe48c48ff29db3c
Opcode Fuzzy Hash: 3cfe4355e21466f23dc1225bab24ef6f26be2224f2c88ba97290afaabc80eeab
Instruction Fuzzy Hash: 988368B0F09609EFD7009F63FE586AB7BB1FB88390B918055D490722B4DBF14A69DB41

Function 00E24D76 Relevance: 118.4, APIs: 54, Strings: 12, Instructions: 2872libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00E24E2C
GetProcAddress.KERNEL32(76F70000,?), ref: 00E24F26
LoadLibraryA.KERNELBASE(?), ref: 00E25010
LoadLibraryA.KERNEL32(00000000), ref: 00E250DD

Strings

~>$@, xrefs: 00E26D4C
h<, xrefs: 00E26FF7
h69, xrefs: 00E26A07
C:\Users\user, xrefs: 00E27241
h#, xrefs: 00E25540
h, xrefs: 00E25E65
cNn, xrefs: 00E26A70
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
h'&, xrefs: 00E24EC5
ht3, xrefs: 00E26AA1
hx-, xrefs: 00E261CC

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: C:\Users\user$h!;$h'&$h69$h<$h_.$ht3$hx-$h$h#$~>$@$cNn
API String ID: 2574300362-817817401
Opcode ID: 3866e89ca461161912e09f0342c089f45ee01511d3fc0f061945760f8f3c6242
Instruction ID: cd2768531f64daa16477fbccf0a81f59587907d512c69d7a8da6581b0df8d577
Opcode Fuzzy Hash: 3866e89ca461161912e09f0342c089f45ee01511d3fc0f061945760f8f3c6242
Instruction Fuzzy Hash: 215367B0F09609EFC7009F63FE586AB7BB1FB88390B918059D490722B4DBF15969DB41

Function 00E24EA1 Relevance: 116.6, APIs: 53, Strings: 12, Instructions: 2823libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00E24F26
LoadLibraryA.KERNELBASE(?), ref: 00E25010
LoadLibraryA.KERNEL32(00000000), ref: 00E250DD

Strings

~>$@, xrefs: 00E26D4C
h<, xrefs: 00E26FF7
h69, xrefs: 00E26A07
C:\Users\user, xrefs: 00E27241
h#, xrefs: 00E25540
h, xrefs: 00E25E65
cNn, xrefs: 00E26A70
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
h'&, xrefs: 00E24EC5
ht3, xrefs: 00E26AA1
hx-, xrefs: 00E261CC

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: C:\Users\user$h!;$h'&$h69$h<$h_.$ht3$hx-$h$h#$~>$@$cNn
API String ID: 1469910268-817817401
Opcode ID: eff57ad9b9856fd6c6008ee7bfa11a365f66af2044b181b449fd27dacdf448c2
Instruction ID: fbd98274edb3a96f98d93cb792f5dada8dbc49744e8201afab6221c68e5fccc3
Opcode Fuzzy Hash: eff57ad9b9856fd6c6008ee7bfa11a365f66af2044b181b449fd27dacdf448c2
Instruction Fuzzy Hash: 8B4366B0F09609EFC7009F63FE586AB7BB1FB88390B918059D490722B4DBF15969DB41

Function 00E2570C Relevance: 95.1, APIs: 43, Strings: 10, Instructions: 2328libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(761D0000,?), ref: 00E25741
GetProcAddress.KERNEL32(761D0000,?), ref: 00E257E9
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25857
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25927
GetProcAddress.KERNEL32(761D0000,?), ref: 00E259A8
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25A3B
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25B53
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25CB0
GetProcAddress.KERNEL32(761D0000,?), ref: 00E25D0F

Strings

~>$@, xrefs: 00E26D4C
h<, xrefs: 00E26FF7
h69, xrefs: 00E26A07
C:\Users\user, xrefs: 00E27241
h, xrefs: 00E25E65
cNn, xrefs: 00E26A70
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
ht3, xrefs: 00E26AA1
hx-, xrefs: 00E261CC

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h!;$h69$h<$h_.$ht3$hx-$h$~>$@$cNn
API String ID: 190572456-2104003647
Opcode ID: 35483a2e316bd4b9e60186da18a888d461248ed375d15cd8abec10d0cab837b4
Instruction ID: 3f9403234866d0b5567ef05c9c0a3e444c7e91968a2f200fb5153e7bb65f4c27
Opcode Fuzzy Hash: 35483a2e316bd4b9e60186da18a888d461248ed375d15cd8abec10d0cab837b4
Instruction Fuzzy Hash: 7D2366B0F09609EFC7009F63FE586AB7BB1FB88390B918059D490722B0DBF15969DB45

Function 00E25F99 Relevance: 71.9, APIs: 31, Strings: 9, Instructions: 1867libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76DA0000,?), ref: 00E2606F
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E261B9
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E2623A
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E262DF
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E263D1
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E2647D
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E264D6
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E2657E
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E26697
GetProcAddress.KERNEL32(76DA0000,?), ref: 00E26731

Strings

~>$@, xrefs: 00E26D4C
h<, xrefs: 00E26FF7
h69, xrefs: 00E26A07
C:\Users\user, xrefs: 00E27241
cNn, xrefs: 00E26A70
h!;, xrefs: 00E26B47
h_., xrefs: 00E26948
ht3, xrefs: 00E26AA1
hx-, xrefs: 00E261CC

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h!;$h69$h<$h_.$ht3$hx-$~>$@$cNn
API String ID: 190572456-3444092022
Opcode ID: 4f352a18467de15791c884e7195e667f1d322cae21a36e6b5274a096f5a9fe3c
Instruction ID: f1b42acae1113cbbd3daee98fe877410fccdf789f8e167e5e917be192b6bbf5f
Opcode Fuzzy Hash: 4f352a18467de15791c884e7195e667f1d322cae21a36e6b5274a096f5a9fe3c
Instruction Fuzzy Hash: A50367B0F09609EFC7009F63FE592AB7BB1FB88390B918055D480B22B1DBF15969DB45

Function 00E482D0 Relevance: 29.6, APIs: 12, Strings: 4, Instructions: 1565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00E6DEC0), ref: 00E48454

Part of subcall function 00E3AE00: GetProcAddress.KERNEL32(76F70000,00000000), ref: 00E3AEA4
Part of subcall function 00E3AE00: GetCurrentProcess.KERNEL32(00000000), ref: 00E3AF43

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00E48693
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00E489D8
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00E48962

Part of subcall function 00E3B270: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E3B303

CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00E48ACC
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00E48BD4

Strings

\, xrefs: 00E49511
C:\Users\user, xrefs: 00E48DFF, 00E48E9D
G8p=, xrefs: 00E496FC
N_cU, xrefs: 00E49488

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: Directory$Create$AddressCurrentDeleteFileProcProcessRemoveVersionWindows
String ID: C:\Users\user$G8p=$N_cU$\
API String ID: 3691313006-3626936885
Opcode ID: 6f868a97e74a4b50b3932f8037a1483d46ed14114a8e5f09c1ee700bad7a5383
Instruction ID: 23e26d8720d9228247f150a882f3b76c308dce31fd7e88d348dff3cc1cb0fbf2
Opcode Fuzzy Hash: 6f868a97e74a4b50b3932f8037a1483d46ed14114a8e5f09c1ee700bad7a5383
Instruction Fuzzy Hash: 80E29970E09609DFC7009F63FE582AB7BB4FB99390F918099D891722B5DBB1496DCB40

Function 00E29165 Relevance: 25.3, APIs: 12, Strings: 2, Instructions: 831
sleepfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00E2927A
CloseHandle.KERNEL32(00000134), ref: 00E29481
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00E294A5
CopyFileA.KERNEL32(00000000,?,00000000), ref: 00E294C7
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00E294FF
Sleep.KERNELBASE(000003E8), ref: 00E29679
Sleep.KERNEL32(000007D0), ref: 00E29868
SetFileAttributesA.KERNEL32(C:\zqzhokrkxswikv\gyyuuofs.exe,00000080), ref: 00E298AD
CopyFileA.KERNEL32(00000000,C:\zqzhokrkxswikv\gyyuuofs.exe,00000000), ref: 00E298FE

Strings

C:\zqzhokrkxswikv\gyyuuofs.exe, xrefs: 00E291FB, 00E2989C, 00E298F2, 00E29926, 00E29D67
cNn, xrefs: 00E298EA

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: File$Attributes$CopySleep$CloseHandleStartup
String ID: C:\zqzhokrkxswikv\gyyuuofs.exe$cNn
API String ID: 1885058026-3741540647
Opcode ID: e02917640e566d56d5de60fbdcab34851a2c3dae234040fc2e01456c4a4edb7b
Instruction ID: b9d350c9ec78999573ca784033b948c48469ced7b5de5430fac45142b41ee753
Opcode Fuzzy Hash: e02917640e566d56d5de60fbdcab34851a2c3dae234040fc2e01456c4a4edb7b
Instruction Fuzzy Hash: 37727770F49615DFCB049F63FD592AB3BB1FB88390F958059D881B22B1EBB04969CB41

Function 00E59DB0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00E59F00
CloseHandle.KERNEL32(00000000), ref: 00E59F50
CloseHandle.KERNEL32(?), ref: 00E59F96

Strings

D, xrefs: 00E59EA5
cNn, xrefs: 00E59E7F

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D$cNn
API String ID: 2922976086-3892049289
Opcode ID: e4fc48b16652c595c7a9cbd9ca97f99cfca634ad5c569f0e5966531c73caf79b
Instruction ID: a8bc0163be6f4eb20fd9e00ccac80a1d2b6a7e2b883fe455876434a629e4a82b
Opcode Fuzzy Hash: e4fc48b16652c595c7a9cbd9ca97f99cfca634ad5c569f0e5966531c73caf79b
Instruction Fuzzy Hash: 9F715470F09208EFCB009F53FE586AABBB0F788390FA18545D580762B4DBB1596DDB04

Function 00E353A0 Relevance: 6.3, APIs: 4, Instructions: 309
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E32760: WaitForSingleObject.KERNEL32(?,00004E20,?,?,?,?,00E2A0EC), ref: 00E327A9

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E354A7
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00E355C9
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00E35767
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E3582F

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: CloseFileHandle$CreateObjectReadSingleWait
String ID:
API String ID: 3632524860-0
Opcode ID: c6f0540e96b5dd843700a3fa9fac830310a2d97335ddbb02f6801bc82905ea19
Instruction ID: 5e8140d3857815bcd25a804654d6004e6637fde373465c4f87562c7c4398e31b
Opcode Fuzzy Hash: c6f0540e96b5dd843700a3fa9fac830310a2d97335ddbb02f6801bc82905ea19
Instruction Fuzzy Hash: 76D1AC71F0A608EFC7009F53FE482AB7BB1FB89791F914085D444B22B0DBB14969DB51

Function 00E47D00 Relevance: 4.8, APIs: 3, Instructions: 350
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00E4819D
FindCloseChangeNotification.KERNELBASE(?), ref: 00E4826F
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00E47EE2

Part of subcall function 00E42EA0: ReleaseMutex.KERNEL32(?,0000012C,?,00E4C085,0000012C,?,?,00E2A0EC), ref: 00E42EE3

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: File$ChangeCloseCreateFindMutexNotificationReleaseWrite
String ID:
API String ID: 4274231522-0
Opcode ID: 8c0bf708351c20e82f8210208fa5fa9a75bd9757e75a72b662a39b72d9bc65e3
Instruction ID: f1d7c739e9dd8500c6bfddb305598c9a60fb03a001e7fb556b5c75147ac71917
Opcode Fuzzy Hash: 8c0bf708351c20e82f8210208fa5fa9a75bd9757e75a72b662a39b72d9bc65e3
Instruction Fuzzy Hash: 16E18A71F09605DFC7009F63FD942AB7BB5FB48790B91815AD880B22B4EBB0486DCB85

Function 00E307D0 Relevance: 4.7, APIs: 3, Instructions: 246
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E30946
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00E30A02
FreeSid.ADVAPI32(?), ref: 00E30AC7

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 22e2234fc3fe363e64ab0fc31d1fc96ed5f66859ffd7b5af46e6f2812c67fa9c
Instruction ID: 98bcd53cdfe6fad9342eb8f64ec910cca631c3e3f285d62ac2e95af51162633e
Opcode Fuzzy Hash: 22e2234fc3fe363e64ab0fc31d1fc96ed5f66859ffd7b5af46e6f2812c67fa9c
Instruction Fuzzy Hash: D3A19E74E09609EFCB009F63FD581AB7B70FB99391F928045C491B2274EBB149ACCB95

Function 00E50BF0 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00E43A48,?,?,00E5B682,00000000), ref: 00E50CA6
RtlAllocateHeap.NTDLL(00000000,?,00E43A48,?,?,00E5B682,00000000), ref: 00E50CAD

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 2e30d1e2018d20e92081243c792d8744ea356e33e162898bad6d98f7e1482469
Instruction ID: 70c852e35cb1dd2450d4d18178b3b72b2b3ee6e000a9202d5e43b11f9e893dcb
Opcode Fuzzy Hash: 2e30d1e2018d20e92081243c792d8744ea356e33e162898bad6d98f7e1482469
Instruction Fuzzy Hash: 25113A30E48509DFC7108F63FD581637B78FBA93D1B91821AE996322B8D6F4446DCB45

Function 00E57D20 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00006B73,?,00E5811A,00000000,00000000,00000000,?), ref: 00E57D3A
RtlFreeHeap.NTDLL(00000000,?,00E5811A,00000000,00000000,00000000,?), ref: 00E57D41

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 758cef446212c805bdabdcce441ca3d812250c41ad5e48510c78cf67b9ebf7fd
Instruction ID: b10e70ba72c54e555cc4a08c495bcef8d9f41fbb3aed214b053d3431db341082
Opcode Fuzzy Hash: 758cef446212c805bdabdcce441ca3d812250c41ad5e48510c78cf67b9ebf7fd
Instruction Fuzzy Hash: D0F03A70A0D514EFC7048F97FD486673BB8FB59381F914044E959A22A0CAB02868CB51

Function 00E32640 Relevance: 3.0, APIs: 2, Instructions: 27
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,00000000), ref: 00E32676
CharLowerBuffA.USER32(?,00000000), ref: 00E3267E

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 3e162d70d6f5911dfa93d4a5c658a15946d66c68b01dc608816bf4f3e1df8b4e
Instruction ID: 6be7bffee8a278ded467529883f3ef69179b8ca3e736b72968539ef10285bc2e
Opcode Fuzzy Hash: 3e162d70d6f5911dfa93d4a5c658a15946d66c68b01dc608816bf4f3e1df8b4e
Instruction Fuzzy Hash: 1DF0F839A19A19EFD7402FA3FC0C5A73B35FB892E0B450095E98432264CBF5486DC795

Function 00E58B90 Relevance: 2.4, APIs: 1, Instructions: 863
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00E58E03

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 3e0f8e907a1fb810e8fe0d0b33e2af3a622e3ed4f9a9fac7af5687a00bdccfd8
Instruction ID: 13f85d0654939217b46ee5ac256bdb5daf387f1fb4fb3b3ded1258520e087395
Opcode Fuzzy Hash: 3e0f8e907a1fb810e8fe0d0b33e2af3a622e3ed4f9a9fac7af5687a00bdccfd8
Instruction Fuzzy Hash: 94826770E09609DFC704DF63FEA81AB7BB5FB98390B918059D481722B1DBB05A6DDB04

Function 00E5A080 Relevance: 1.7, APIs: 1, Instructions: 211
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00E5A208

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c79856bea0369cd9bb77ee58c44db07a165a4330e04fb618a3200ee1528bd2b
Instruction ID: cb081f37cfe9b3bd1f27c7cc4cc2c90d9a3dbe18ec0afa8e1549360bac30dee4
Opcode Fuzzy Hash: 0c79856bea0369cd9bb77ee58c44db07a165a4330e04fb618a3200ee1528bd2b
Instruction Fuzzy Hash: DD8194B0F09605DFC7009F22FE586AB3BB1F798395FA14655D881722B4EAB0886DCB41

Function 00E4E950 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00E4E9C8

Memory Dump Source

Source File: 00000002.00000002.1374942845.0000000000E21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000002.00000002.1374930105.0000000000E20000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374967197.0000000000E62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1374981436.0000000000E6D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1375015191.0000000000E6E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_akk3nwj1mabelfu4.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f79ddc297d5a654cfc633b7ee1ac58c0127e573fafe00ed83365d2e19076f744
Instruction ID: faa36b125ecd920de1767ccb4a4970f7e7467e9b07ac547d9687731a22d5f06b
Opcode Fuzzy Hash: f79ddc297d5a654cfc633b7ee1ac58c0127e573fafe00ed83365d2e19076f744
Instruction Fuzzy Hash: 59F01F74A09A09DFC300AF22FC5805B7B70FB893E0BA24081C88132271DBF145ADC74A

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7sAylAXBOb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\zqzhokrkxswikv\tpcbuesrb

C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe

C:\zqzhokrkxswikv\gyyuuofs.exe

C:\zqzhokrkxswikv\nlsxqvtcr.exe

C:\zqzhokrkxswikv\tpcbuesrb

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
7sAylAXBOb.exe

Function 006582D0 Relevance: 31.3, APIs: 12, Strings: 5, Instructions: 1565
fileCOMMON

Function 00655250 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 350
sleepCOMMON

Function 006407D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 246
memoryCOMMON

Function 00667D20 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Function 00658AE8 Relevance: 21.9, APIs: 7, Strings: 5, Instructions: 888
COMMON

Function 00659039 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 631
COMMON

Function 0064BFC0 Relevance: 10.9, APIs: 7, Instructions: 426
fileCOMMON

Function 00657D00 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 350
fileCOMMON

Function 00669DB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
processCOMMON

Function 0065E950 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
COMMON

Function 00660BF0 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Function 00642640 Relevance: 3.0, APIs: 2, Instructions: 27
stringCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre